Contents of the Manual
Contents
1. OSPF Main routing ospf gt area print Flags X disabled I invalid MikroTik RouterOS V2 6 Reference Manual 347 Open Shortest Path First OSPF Routing Protocol AME AREA ID 0 backbone 0 0 0 0 OSPF Main routing ospf gt network print Flags X disabled I invalid ETWORK AREA 0 10 1 0 0 24 backbone 1 1040 1 32 backbone OSPF Main routing ospf gt STUB DEFAULT COST AUTH none Note that the OSPF is configured only for the peerl and pptp in1 interfaces Since the pptp in1 is a point to point interface the network address has 32 bits OSPF peer 1 Router Setup The PPTP client configuration is as follows OSPF peer 1 gt ip route add dst address 10 2 0 2 32 gateway 10 3 0 2 interface pptp client add name pptp outl user ospf connect to 10 2 0 2 password asdf4 mtu 1500 mru 1500 interface pptp client enable pptp outl interface pptp client print Flags X disabled R running O R name pptp out1 mtu 1500 mru 1500 connect to 10 2 0 2 user ospf password asdf4 profile default add default route no interface pptp client monitor pptp out1 status uptime encoding OSPF peer 1 connected 39m46s none gt The IP address configuration of the OSPF peer 1 router is as follows OSPF peer 1 gt ip address print Flags X disabled I invalid D dynamic ADDRESS NETWORK B2. admin MikroTik routing rip gt interface add interface etherl admin MikroTik routing rip gt interface print Flags I inactive 0 interface etherl receive v2 send v2 authentication none authentication key prefix list in none prefix list out non admin MikroTik routing rip gt MikroTik RouterOS V2 6 Reference Manual 354 Routing Information Protocol RIP Argument description interface physical network to access the first router all sets the defaults that will be used for all the interfaces not having specific settings send distributed RIP protocol versions One of v1 v1 2 v2 receive RIP protocol versions the router can receive One of v1 v1 2 v2 authentication authentication method for RIP messages 4 none no authentication simple clear text authentication md5 Keyed Message Digest 5 MD5 authentication authentication key authentication key for RIP messages prefix list in Name of the filtering prefix list for receiving routes prefix list out Name of the filtering prefix list for advertising routes The prefix lists should be defined under the routing prefix list See corresponding manual for the details on using prefix lists Security issue it is recommended not to use RIP version 1 when it is possible RIP Networks To start the RIP protocol you have to define the networks on which RIP runs Use the routing rip network add command
3. interface Serial0 description connected to MikroTik ip address 1 1 1 2 255 255 255 252 serial restart delay 1 ip classless ip route 0 0 0 0 0 0 0 0 10 1 1 254 end CISCO Send ping packets to the MikroTik router CISCO ping 1 1 1 1 Typ scape sequence to abort Sending 5 100 byte ICMP Echos to 1 1 1 1 timeout is 2 seconds Success rate is 100 percent 5 5 round trip min avg max 28 32 40 ms CISCO Copyright 1999 2002 MikroTik MikroTik RouterOS V2 6 Reference Manual 137 MOXA C502 Synchronous Interface Document revision 23 Sep 2002 This document applies to the MikroTik RouterOS V2 6 Overview The MikroTik RouterOS supports the MOXA C502 PCI Dual port Synchronous 8Mb s Adapter hardware The V 35 synchronous interface is the standard for VSAT and other satellite modems However you must check with the satellite system supplier for the modem interface type For more information about the MOXA C502 Dual port Synchronous 8Mb s Adapter hardware please see the relevant documentation e http www moxa com product sync C502 htm The product on line documentation e C101 SuperSync Board User s Manual The User s Manual in pdf format Contents of the Manual The following topics are covered in this manual e Synchronous Adapter Hardware and Software Installation Software Packages Software License System Resource Usage Installing the Synchronous Adapter
4. User statistics values are updated after current session is closed Values can be reset to 0 using the reset command Optional Settings 1 You may want to use same address space both for your LAN and HotSpot networks Please consult the IP Address and ARP Manual for proxy arp feature 2 You may want to translate the destination address of all TCP port 25 connections SMTP from HotSpot users to your mail sever for mail relaying Thus users can retain their mail client setup and use your mail server for outgoing mail without reconfiguring their mail clients If 10 5 6 100 is your mail server accepting connections from network 10 5 50 0 24 then the required destination MikroTik RouterOS V2 6 Reference Manual 244 HotSpot Gateway NAT rule would be ip firewall dst nat add src address 10 5 50 0 24 dst port 25 protocol tcp to dst address 10 5 6 100 action nat comment Translate SMTP TCP 25 port to our mail server 3 Another option is to allow access certain pages without authentication This is useful for example to give access to some general information about HotSpot service provider or billing options Include firewall rules into the forward chain allowing access to certain IP addresses prior the rule that rejects all other traffic from temporary addresses Also add rules excluding destination NAT for these addresses For example 1 in dst nat don t redirect requests going to your web server x x x x 80 this ru
5. O R name prisml mtu 1500 mac address 00 90 4B 02 17 E2 arp enabled mode ap bridge root ap 00 00 00 00 00 00 frequency 2442MHz ssid testing default authentication yes default forwarding yes max clients 2007 card type generic tx power auto supported rates 1 11 basic rates 1 admin MikroTik interface prism gt Use the registration table to see the associated clients Registration Table The registration table shows all clients currently associated with the access point for example admin MikroTik interface prism gt registration table print INTERFACE MAC ADDRESS TYPE PARENT O prisml 00 07 EB 30 E7 DA client 1 prisml 00 40 96 29 2F 80 client admin MikroTik interface prism gt Argument description for the registration table entry interface interface that client is registered to mac address mac address of the registered client type type of the client client client registered to the interface 4 local client learned from bridged interface 4 ap client is an access point forward client is forwarded from another access point 4 parent ap the access point this interface is connected to parent parent access point s MAC address if forwarded from another access point The print stats or print detail commands give additional per client statistics admin MikroTik interface prism gt registration table print stats O interface prisml ma
6. address leased IP address for the client mac address MAC address of the client It is base for static lease assignment expires after time until lease expires server server name which serves this client lease time dictates the time that a client may use an address netmask the netmask to be given with the IP address coming from the range of addresses that can be given out gateway the default gateway to be used by the DHCP client status lease status waiting not used static lease testing testing whether this address is used or not busy this address is used in the network so it can not be leased 4 offered server has offered this lease to a client but did not receive client confirmation bound server has received client confirmation that it accepts offered address and is using it now Note that even though client address is changed in lease print list it will not change for the client It is true for any changes in in the DHCP server configuration because of DHCP protocol Client tries to renew assigned IP address only when half a lease time is past it tries to renew several times Only when full lease time is past and IP address was not renewed new lease is asked rebind operation Additional DHCP Resources Links for DHCP documentation http www ietf org rfc rfc2131 txt number 2131 http www isc org products DHCP http www linuxdoc org HOWTO mini DHCP htt
7. 1 Enable the Ethernet interface etherl interfac nabl therl 2 Configure prism1 interface Here you have to specify root ap MAC address so the Prism radio registers to the root AP Set mode bridge ssid br8 frequency 2447MHz root ap xx Xx XX XX XX xx and enable prism1 interface you can use mode ap bridge if you have Prism AP License interface prism set prisml mode bridge ssid br8 frequency 2447 TOOt ap XX XX XX XX xx xx disabled no Here substitute the xx xx xx xx xx xx with MAC address of MT parent prism interface 3 Check your setup and see if you have successfully registered to the root AP Its MAC address should be listed as parent ap in the registration table of prism interface for example admin MT child interface prism gt registration table print INTERFACE MAC ADDRESS TYPE PARENT O prisml 00 02 6F 01 CE 2A parent ap admin MikroTik interface prism gt 4 Add bridge interface and specify forwarded protocol list interface bridge add forward protocols ip arp other disabled no 5 Specify ports prisml and etherl that belong to bridge interface bridge port set etherl prisml bridge bridgel 6 Assign IP address 10 0 0 218 24 to the bridge interface ip address add address 10 0 0 218 24 interface bridgel 7 Set default route to 10 0 0 1 ip route add gw 10 0 0 1 Note that both LANs should use IP addresses from the same network 10 0 0 0 24 Both MikroTik routers
8. 2 X farsync2 farsync 1500 admineMikroTik interface gt admineMikroTik interface gt enable 1 admin MikroTik interface gt enable farsync2 admin MikroTik gt interface print Flags X disabled D dynamic R running NAME TYPE MTU O R etherl ether 1500 1 farsyncl farsync 1500 2 farsync2 farsync 1500 admineMikroTik interface gt More configuration and statistics parameters can be found under the interface farsyne menu admin MikroTik interface farsync gt print Flags X disabled R running 0 name farsyncl mtu 1500 line protocol sync ppp media type V35 clock rate 64000 clock source external chdlc keepalive 10s frame relay lmi type ansi frame relay dce no dl name farsync2 mtu 1500 line protocol sync ppp media type V35 clock rate 64000 clock source external chdlc keepalive 10s frame relay lmi type ansi frame relay dce no admin MikroTik interface farsync gt Argument description numbers Interface number in the list hdlc keepalive Cisco HDLC keepalive period in seconds 0 32767 clock rate Speed of internal clock clock source Clock source external internal disabled disable or enable the interface frame relay dce Operate in DCE mode yes no frame relay Imi type Frame Relay Local Management Interface type ansi ccitt line protocol Line protocol cisco hdlc frame relay sync ppp media type
9. Ethernet over IP EoIP Tunneling is a MikroTik RouterOS protocol that creates an Ethernet tunnel between two routers on top of an IP connection The EoIP interface appears as an Ethernet interface When the bridging function of the router is enabled all Ethernet level traffic all Ethernet protocols will be bridged just as if there where a physical Ethernet interface and cable between the two routers with bridging enabled This protocol makes multiple network schemes possible Network setups with EoIP interfaces e Possibility to bridge LANs over the Internet e Possibility to bridge LANs over encrypted tunnels e Possibility to bridge LANs over 802 11b ad hoc wireless networks Contents of the Manual The following topics are covered in this manual e Installation e Hardware Resource Usage e EoIP Interface and Protocol Description e EoIP Setup e EoIP Application Example Installation The Ethernet over IP tunnel feature is included in the system package No installation is needed for this feature Hardware Resource Usage There is no significant resource usage EolP Interface and Protocol Description An EoIP interface should be configured on two routers that have the possibility for an IP level connection The EoIP tunnel may run over an IPIP tunnel a PPTP 128bit encrypted tunnel a PPPoE connection or any connection that transports IP Specific Properties e Each EoIP tunnel interface can connect with one remo
10. V2 6 Reference Manual 200 WaveLAN ORiNOCO 2 4GHz 11Mbps Wireless Interface Document revision 16 Sep 2002 This document applies to the MikroTik RouterOS V2 6 Overview Note MikroTik does not guarantee support for Orinocco Wavelan The MikroTik RouterOS supports the following WaveLAN ORiNOCO 2 4GHz 11Mbps Wireless Adapter hardware e ORiNOCO 2 4GHz 11Mbps PC Card Silver Gold firmware versions 4 xx 7 52 e ORiNOCO ISA and PCI adapters for using the PC card in desktop computers For more information about the WaveLAN ORiNOCO adapter hardware please see the relevant User s Guides and Technical Reference Manuals in pdf format from the manufacturer e gsg pc pdf ORINOCO PC Card Getting Started Guide e ug pc pdf ORINOCO PC Card User s Guide e GSG ISA pdf ORINOCO ISA Adapter Getting Started Guide e GSG PCL pdf ORiNOCO PCI Adapter Getting Started Guide Information about configuring the ORINOCO wireless access point can be found there e GSAP1000 pdf ORINOCO Access Point 1000 AP 1000 Getting Started Guide e ug OM pdf ORINOCO Manager Suite User s Guide Contents of the Manual The following topics are covered in this manual e Wireless Adapter Hardware and Software Installation Software Packages Software License System Resource Usage Installing the Wireless Adapter Loading the Driver for the Wireless Adapter e Wireless Interface Configuration e Wireless Troubleshooting e Wireless Network Applications Poin
11. admin MikroTik routing rip network gt add address 10 10 1 0 24 admin MikroTik routing rip network gt print ADDRESS o 10 10 1 0 24 admin MikroTik routing rip gt Argument description address the network address mask that is associated with the area It allows defining one or multiple interfaces RIP to be run on Only directly connected networks of the router may be specified network specifies the network mask of the address if it is not specified in the address argument Note that for P2P links here you should set exactly the same as the network address is that is remote point IP address In this case the correct netmask bits should be 32 RIP Neighbors To define a neighboring router with which to exchange routing information use the routing rip neighbour add command for example admin MikroTik routing rip gt neighbor add address 10 0 0 1 admin MikroTik routing rip gt neighbor print Flags I inactive ADDRESS 0 10 0 0 1 admin MikroTik routing rip gt MikroTik RouterOS V2 6 Reference Manual 355 Routing Information Protocol RIP Normally there is no need to add the neighbors if the multicasting is working properly within the network If there are problems with exchanging the routing information the neighbors can be added to the list It will force to exchange the routing information with the neighbor RIP Routes The routes installed by RIP and other routing protocols can b
12. exit voice service voip default h323 call start exit e Enable opening of RTP streams voice rtp send recv e Assign some E 164 number for local telephone for example 101 to port 0 0 dial peer voice 1 pots destination pattern 101 port 0 0 exit e create preferred codec listing voice class codec codec_class_number codec preference 1 g llulaw codec preference 2 g723r63 exit NOTE g723r53 codec can be used too e Tell that some foreign E 164 telephone number can be reached by calling to some IP address for example 098 by calling to 10 0 0 98 dial peer voice 11 voip destination pattern 098 session target ipv4 10 0 0 98 voice class codec codec_class_number exit NOTE instead of codec class one specified codec could be specified codec g7llulaw For reference following is an exported CISCO configuration that works version 12 1 no service single slot reload enabl service timestamps debug uptime service timestamps log uptime no service password encryption hostname Router logging rate limit console 10 except errors enable secret 5 1 bTMC NDG19 n pc30OMbtWxADMgl enable password 123 memory size iomem 25 ip subnet zero no ip finger j call rsvp sync voice rtp send recv voice class codec 1 codec preference 1 g7llulaw codec preference 2 g723r63 interface FastEthernet0 ip address 10 0 0 101 255 255 255 0 MikroTik RouterOS V2 6 Reference Manual 297 IP Telephony
13. if none session valid till date and time when session will expire Sep 21 2002 16 12 33 or if there is no session timeout idle timeout idle timeout 20m or if none bytes in number of bytes received from client 15423 bytes out number of bytes sent to client 11352 packets in number of packets received from client 251 4 packets out number of packets sent to client 211 e status html refresh_time time in seconds after which to automatically refresh status page refresh_time_str more friendly representation of refresh_time e error html 4 error error message DHCP lease not found To insert variable in some place in HTML file variable name surrounded by symbols is used For example to show link to login page following construction can be used lt a href Slink_login S gt login lt a gt It can be used in any hotspot HTML file Note that to insert symbol as a text not as a part of variable construction has to be used if there is only one symbol on a page or string between it and next symbol is not a valid variable name may be used with the same result Examples With basic HTML language knowledge and the information below it should be easy to implement the ideas described above 1 To provide predefined value as username change lt input type text Sinput_user gt to this line lt input type hidd
14. 10sec e TCP CLOSE wait sent RTS 60sec e TCP LAST ACK received ACK 30sec e TCP Listen ftp server waiting for client to establish data connection 2min e UDP timeout 30sec e UDP with reply timeout remote party has responded 180sec e ICMP timeout 30sec e All other 10min Troubleshooting e I set the policy for the input chain to drop and I lost connection to the router You should add rules to the chain allowing required communications and only then change the default policy of the chain e put up filtering rules but they seem not to work Use the Firewall logging to see whether you are matching the packets with your rules or not The most common mistake is wrong address netmask e g 10 0 0 217 24 wrong 10 0 0 217 32 right or 10 0 0 0 24 right e am trying to use policy routing based on source addresses and masquerading but it does not work Masqueraded packets have source address 0 0 0 0 at the moment when they are processed according to the routing table Therefore it is not possible to have masquerading with different source address See the Routes Manual for more information Additional Resources Read about connection tracking at http www cs princeton edu jns security iptables iptables_conntrack html IP Firewall Applications Further on the following examples of using firewall rules are given Basic Firewall Building Principles Example of Firewall Filters Example of Source NAT Masqu
15. IP Pool Description IP pools simply group IP addresses for further usage It is a single configuration point for all features that assign IP addresses to clients IP Pool Setup IP Pool management can be accessed under the ip pool submenu admin MikroTik ip pool gt print print values of item properties find finds items by value get get value of item s property set change item properties add create new item remov remove item export used admin MikroTik ip pool gt print NAME RANGES Oa 10 0 0 0 10 0 0 255 admin MikroTik ip pool gt Argument description MikroTik RouterOS V2 6 Reference Manual 254 IP Pool Management name name of the pool ranges IP address list of non overlapping IP address ranges in form of from1 tol1 from2 to2 fromN toN For example 10 0 0 1 10 0 0 27 10 0 0 32 10 0 0 47 To see the existent pools use print command admin MikroTik ip pool gt print NAME RANGES Oa 10 0 0 0 10 0 0 295 D 10 0 0 1 10 0 0 27 admin MikroTik ip pool gt RADIUS settings The IP pool name can be specified in a RADIUS server with FRAMED_POOL attribute id 88 RFC2869 Monitoring Used IP Addresses To see what addresses are currently used use used print command admin MikroTik ip pool gt used print POOL ADDRESS OWNER INFO b 10 0 0 27 DHCP 00 e0 c5 6e 23 1d admin MikroTik ip pool gt Copyright 1999 2002 MikroTik MikroTik RouterOS
16. MikroTik RouterOS V2 6 Reference Manual 47 SSH Installation and Usage Suggested Windows Client Setup PuTTY is a free Windows all Windows SSH client which needs no installation It is one exe file which can be downloaded and run Download this program from_http www chiark greenend org uk sgtatham putty html Simple instructions 1 After downloading run the program 2 Set the connection type to SSH 3 On the first connection to the router a Security Alert will notify that the server s host is not in the registry Answer YES to trust this server 4 The normal router login will not be display Instead login as and nameOXxX XXX XXX XXX S password will appear Suggested UNIX Linux Client Setup SSH client exists and generally is istalled by default for all standard Linux distributions The command ssh l username router address will initiate a connection Winbox connections are encrypted TSL if ssh package is installed Additional Resources Links for Windows Client http www zip com au roca ttssh html http www chiark greenend org uk sgtatham putty html http pgpdist mit edu FiSSH index html http telneat lipetsk ru http support jgaa com cmd ShowArticle amp ID 11 http akson sgh waw pl chopin ssh index_en html http cs mscd edu MSSH index html http www networksimplicity com openssh Other links http www openssh com http www freessh org Copyright 1999 2002 Mikr
17. Serial Console Document revision 12 Aug 2002 This document applies to the MikroTik RouterOS v2 6 Overview The Serial Console feature allows configuring one serial port of the MikroTik router for access to the router s Terminal Console over the serial port A special null modem cable is required to connect the router s serial port with the workstation s or laptop s serial COM port A terminal emulation program e g HyperTerminal should be run on the workstation Alternatively another MikroTik router can be used as terminal if its communication port is configured as serial terminal See the relevant manual for details Contents of the Manual The following topics are covered in this manual e Installation e Hardware Resource Usage e Serial Console Configuration e Troubleshooting Installation The Serial Console feature is included in the system package No installation is needed for this feature Hardware Resource Usage There is no significant resource usage Serial Console Configuration A special null modem cable should be used for connecting to the serial console The Serial Console cabling diagram for DB9 connectors is as follows 003004 UNE OoOnAtIWDaAuO BN WE After installation of the MikroTik RouterOS the serial console is configured to use port serial0 COMI on the motherboard if available To check the Serial Console settings use admin MikroTik system serial console gt print enabled n
18. Wireless Network 10 1 1 0 24 ty interface wavelan1 MikroTik i address 10 1 1 12 24 interface bridget address 192 168 0 254 24 LAN Segment 1 LAN Segment 2 Bridged Network 192 168 0 0 24 When configuring the MikroTik router for bridging you should do the following 1 Add bridge interface 2 Configure the bridge interface 3 Enable the bridge interface 4 Assign an IP address to the bridge interface if needed Note that there should be no IP addresses on the bridged interfaces Moreover IP address on the bridge interface itself is not required for the bridging to work When configuring the bridge settings each protocol that should be forwarded should be added to the forward protocols list The other protocol includes all protocols not listed before as VLAN admin MikroTik interface bridge gt add forward protocols ip arp other admin MikroTik interface bridge gt print Flags X disabled R running 0 X name bridgel mtu 1500 arp enabled mac address 00 00 00 00 00 00 forward protocols ip arp other priority 1 admin MikroTik interface bridge gt The priority argument is used by the Spanning Tree Protocol to determine which port remains enabled if two ports form a loop Next each interface that should be included in the bridging port table admin MikroTik interface bridge port gt print Flags X disabled INTERFACE BRIDGE 0 etherl none 1 ether
19. admin MikroTik gt There can be several reasons for a failure to load the driver for example e The driver cannot be loaded because other device uses the requested IRQ Try to set the IRQ assignment to PCI slots using the system BIOS configuration Interface Configuration If the driver has been loaded successfully no error messages and you have the required Synchronous Software License then the cyclades interface should appear under the interfaces list with the name cycladesX where X is 1 2 To enable the interface use the enable command admin MikroTik gt interface print Flags X disabled D dynamic R running AME TYPE MTU O R etherl ether 1500 1 X cycladesl cyclades 1500 admin MikroTik interface gt enable 1 admin MikroTik gt interface print Flags X disabled D dynamic R running AME TYPE MTU O R etherl ether 1500 1 cyclades1 cyclades 1500 admin MikroTik interface gt More configuration and statistics parameters can be found under the interface cyclades menu For the Cyclades PC300 RSV Synchronous PCI Adapter you should set the mtu to 1500 and have other argument values as below admin MikroTik gt interface prism print Flags X disabled R running O R name cyclades1 mtu 1500 line protocol cisco hdlc media type V35 clock rate 64000 clock source external line code B8ZS framing mode ESF line build out 0dB rx sensitivity short haul frame relay lmi
20. admin MikroTik system script gt add name log test source log message kuku admin MikroTik system script gt print 0 name log test source log message kuku owner admin run count 0 admin MikroTik system script gt Argument description name name of the script to be referenced when invoking it If not specified the name is MikroTik RouterOS V2 6 Reference Manual 32 Scripting Manual generated automatically as scriptX X 1 2 source the script itself owner user s name who created the script run count usage counter This counter is incremented each time the script is executed it can be reset to zero by setting run counter 0 last started date and time when the script has been last invoked The argument is shown only if the run count 0 Note that the counters will reset after reboot You can execute a script by using the run command To manage the active or scheduled tasks use the system script job menu You can see the status of all currently active tasks using the print command For example we have a script that delays some process for 10 minutes admineMikroTik system script gt add name DelayeD source delay 10m admin MikroTik system script gt print O name log test source log message kuku owner admin last started may 09 2001 03 22 19 run count 1 1 name DelayeD source delay 10m owner admin run count 0 admin MikroTik system script gt run DelayeD admin
21. h323 setup time call setup time h323 conf id unique session ID h323 remote address the remote address of the session NAS Port Id voice port ID Acct Status Type record type START session is established MikroTik RouterOS V2 6 Reference Manual 288 IP Telephony STOP session is closed INTERIM UPDATE ALIVE session is alive The time between the messages is defined by interim update interval parameter if it is set to Os there will be no such messages Note that all the parameters which names begin with h323 are CISCO vendor specific Radius attributes IP Telephony Gatekeeper admin MikroTik ip telephony gatekeeper gt print gatekeeper local remote id remote address 0 0 0 0 registered yes registered with tst 2 7 localhost Description of parameters gatekeeper Select which gatekeeper to use none don t use any gatekeeper at all local start and use local gatekeeper 4 remote use some other gatekeeper remote address IP address of remote gatekeeper to use If set to 0 0 0 0 broadcast gatekeeper discovery is used remote id name of remote gatekeeper to use If left empty first available gatekeeper will be used Name of locally started gatekeeper is the same as system identity registered shows whether local H 323 endpoint is registered to any gatekeeper registered with name of gatekeeper to which local H 323 endpoint is registered
22. interface type MTU maximum transmit unit for the interface in bytes You can monitor the traffic passing through any interface using the interface monitor command admin MikroTik interface gt monitor traffic ether6 received packets per second 271 received bytes p second 148 4kbps sent packets p second 600 sent bytes p second 6 72Mbps KR BK admineMikroTik interface gt You can monitor one or more interfaces at a time for example admin MikroTik interface gt monitor traffic ether2 prisml received packets per second 2 0 received bits per second 960 00bps 0 00bps sent packets per second 2 0 sent bits per second 2 57kbps 0 00bps MikroTik RouterOS V2 6 Reference Manual 65 General Interface Settings admineMikroTik interface gt Interface Specific Settings Specific interface configuration is under the interface _name_ submenu for example admin MikroTik interfac thernet gt print detail Flags X disabled R running O R name ether2 mtu 1500 mac address 00 E0 C5 68 11 04 arp enabled disable running check yes admin MikroTik interfac thernet gt Argument description apr Address Resolution Protocol one of the disabled the interface will not use ARP protocol enabled the interface will use ARP protocol proxy arp the interface will be an ARP proxy see corresponding manual reply only the interface will only reply to t
23. interfaces Provides support for frame relay framerelay used with Moxa C101 Cyclades PC300 or FarSync interfaces any hotspot HotSpot gateway additional license Provides Ipsec support arlan Provides support for DSSS 2 4GHz 2 4GHz 2mbps Aironet ISA cards wireless cyclades MikroTik RouterOS V2 6 Reference Manual 52 Software Package Installation and Upgrading isan ProvidessupportforISDN ppp k Provides LCD monitor support f Provides support for Moxa C101 moxa c101 synchronous synchronous card synchronous card si Provides network time protocol P support Provides OSPF support list Provides Prefix List support for k BGP and RIP Provides asynchronous PPP support Provides PPPoE support pptp Provides PPTP support ee po Provides support for Prism II chipset based IEEE 802 11b prism wireless cards as clients or as access points radiolan Provides support for 5 8GHz tadiolan RadioLAN ISA cards rip Provides RIP support F 1 Provides read only SNMP support b Provides remote access via ssH_ Foo Provides IP telephony support e piony H 323 for Quicknet cards ee Provides APC Smart Mode UPS P support bi Provides support fot IEEE 802 1Q Virtual LAN Provides support for Lucent WaveLAN IEFE 802 11 wireless cards support Provides support for Xpeed 300 SDSL cards PE If additional license is required to enable the functionality of a software package the license should be obtai
24. then the hardware CODECs are ignored only software CODECs sw are used The choice of the CODEC type is based on the throughput and speed of the network Better audio quality can be achieved by using CODEC requiring higher network throughput The highest audio quality can be achieved by using the G 711 uLaw CODEC requiring 64kb s throughput for each direction of the call It is used mostly within a LAN The G 723 1 CODEC is the most popular one to be used for audio connections over the Internet It requires only 6 3kb s throughput for each direction of the call IP Telephony Accounting The RADIUS accounting feature can be configured under ip telephony accounting menu admin MikroTik ip telephony accounting gt print enabled no radius server 0 0 0 0 shared secret secondary radius server 0 0 0 0 secondary shared secret interim update interval 0s admin MikroTik ip telephony accounting gt Argument description enabled defines whether RADIUS client is enabled or not radius server IP address of accounting RADIUS server shared secret secret shared with RADIUS server secondary radius server IP address of secondary RADIUS server secondary shared secret secret shared with secondary RADIUS server interim update interval defines time interval between communications with the router If this time will exceed RADIUS server will assume that this connection is down This value is suggested to
25. 1 Lp 2 6betal aug 09 2002 20 33 41 no 2 ppp 2 6betal aug 09 2002 20 28 01 no 3 plist 2 6betal aug 09 2002 20 32 58 no 4 pppoe 2 6betal aug 09 2002 20 29 18 no 5 pptp 2 6betal aug 09 2002 20 28 43 no 6 ssh 2 6beta aug 09 2002 20 25 31 no 7 advanced tools 2 6betal aug 09 2002 20 53 37 no 7 bgp 2 6betal aug 09 2002 20 34 22 no 9 ipsec 2 6betal aug 09 2002 20 24 51 no 10 ospf 2 6betal aug 09 2002 20 34 08 no MikroTik RouterOS V2 6 Reference Manual 360 MikroTik RouterOS V2 6 Reference Manual Border Gateway Protocol BGP Routing Protocol admin MikroTik gt Hardware Resource Usage The BGP requires additional RAM for storing the routing information It is recommended to have 128MB or more RAM BGP Description For BGP description and implementation guidelines please refer to the readings mentioned in the list of Additional Resources Current document discusses BGP configuration for MikroTik RouterOS BGP Setup The BGP management can be accessed under the routing bgp submenu Setting the Basic BGP Configuration To enable the BGP and set the AS number use the routing bgp set command for example admin MikroTik routing bgp gt print enabled no as 0 router id 0 0 0 0 redistribute static no redistribute connected no redistribute rip no redistribute ospf no state disabled admineMikroTik Xi redistribut admineMikroTik routing bgp gt set as 65002 router id 159 148 147 206 enabled ye
26. 10 150 1 0 24 10 0 103 2 1 admin HomeOffice ppp secret gt Test the PPTP tunnel connection RemoteOffice gt ping 10 0 103 1 10 0 103 1 pong ttl 255 time 3 ms 10 0 103 1 pong tt1l 255 time 3 ms 10 0 103 1 pong ttl 255 time 3 ms ping interrupted 3 packets transmitted 3 packets received 0 packet loss round trip min avg max 3 3 0 3 ms Test the connection through the PPTP tunnel to the LocalHomeOffice interface admin RemoteOffice gt ping 10 150 2 254 10 150 2 254 pong tt1l 255 time 3 ms 10 150 2 254 pong ttl 255 time 3 ms 10 150 2 254 pong ttl 255 time 3 ms MikroTik RouterOS V2 6 Reference Manual 170 Point to Point Tunnel Protocol PPTP ping interrupted 3 packets transmitted 3 packets received 0 packet loss round trip min avg max 3 3 0 3 ms To bridge a LAN over this secure tunnel please see the example in the EoIP section of the manual To set the maximum speed for traffic over this tunnel please consult the Queues section Connecting a Remote Client via PPTP Tunnel The following example shows how to connect a computer to a remote office network over PPTP encrypted tunnel giving that computer an IP address from the same network as the remote office has without need of bridging over eoip tunnels Please consult the respective manual on how to set up a PPTP client with the software You are using Internet Encrypted gt network 192 165 800 PPTP Tunnel ne
27. For each H 323 endpoint gatekeeper stores its telephone numbers So gatekeeper knows all telephone numbers for all registered endpoints And it knows which telephone number is handled by which endpoint Mapping between endpoints and their telephone numbers is the main functionality of gatekeepers If endpoint is registered to endpoint it does not have to know every single endpoint and every single telephone number which can be called Instead every time some number is dialed endpoint asks gatekeeper for destination endpoint to call by providing called telephone number to it In most simple case with one phonejack card and some remote gatekeeper configuration can be as follows admin MikroTik ip telephony voice port gt print Flags X disabled NAME TYPE AUTODIAL 0 phonejackl phonejack 1 voipl voip admin MikroTik ip telephony voice port voip gt print Flags X disabled D dynamic R registered AME AUTODIAL REMOTE ADDRESS JITTER BUFFER PREFERED CODEC SIL FAS 0 voipl 0 0 0 0 Os none no yes admin MikroTik ip telephony numbers gt print Flags I invalid X disabled D dynamic R registered DST PATTERN VOICE PORT PREFIX 0 11 phonejackl 1 voipl admin MikroTik ip telephony gatekeeper gt print MikroTik RouterOS V2 6 Reference Manual 289 IP Telephony gatekeeper remot remote id remote address 10 0 0 98 registered yes registered with
28. J rejected connect S static R rip O ospf B bgp DST ADDRESS G GATEWAY DISTANCE INTERFACE 0 DO 0 0 0 0 0 O OZ 110 main 1 DO 192 168 0 0 24 r 10 3 0 1 110 to peerl 2 DC 10 2 0 0 24 0 0050 0 main 3 DC 10 3 0 0 24 r 0 0 0 0 0 to peerl 4 DO 10 1 0 0 24 r 10 3 0 1 110 to peerl r 10 2 0 2 main 5 DO 10 0 0 0 24 ELO 20 2 110 main admin OSPF peer 2 gt Please note the three equal cost multipath routes multiple gateways for one destination in this setup They have been created by the OSPF because there is equal cost to go for example from the router OSPF peer 2 to the network 10 1 0 0 24 The cost is calculated as the sum of costs over each hop to the destination Unless this is not specially desired we may want to avoid such situations i e and adjust the cost settings for the interfaces links accordingly Routing Tables with Revised Link Cost Let as assume that the link between the routers OSPF peer 1 and OSPF peer 2 has a higher cost might be slower we have to pay more for the traffic through it etc Since we have left all ospf interface cost settings as default cost 1 we need to change the following settings admin OSPF peer 1 gt routing ospf interface add interface backup cost 50 admin OSPF peer 2 gt routing ospf interface add interface to peer2 cost 50 The revised network diagram MikroTik RouterOS V2 6 Reference Manual 343 Open Shortest P
29. MikroTik 10 0 0 98 In this case this endpoint will register to gatkeeper at IP address 10 0 0 98 with telephone number 11 Every call to telephone number 11 will be transfered from gatekeeper to this endpoint And this endpoint will route this call to phonejack1 voice port On any other telephone number gatekeeper will be asked for real destination From this endpoint it will be possible to call all the endpoints which are registered to the same gatkeeper If that gatekeeper has static entries about endpoints which are not registered to gatekeeper it still will be possible to call those endpoints by those statically defined telephone numbers at gatekeeper MikroTik IP telephony package includes very simple gatekeeper This gatekeeper can be activated by setting gatekeeper parameter to local In this case local endpoint automatically is registered to local gatekeeper And any other endpoint can register to this gatekeeper too Registered endpoints are added to ip telephony voice port voip table Those entries are marked with D dynamic These entries can not be removed and their remote address can not be changed If there already was an voip entry with the same IP address it is marked with R registered Remote address can not be changed for these entries too But registered voip voice ports can be removed they will stay as dynamic If there is already dynamic voip voice port and static voip voice port with the same IP ad
30. MikroTik RouterOS V2 6 Reference Manual 182 Prismll Wireless Client and Wireless Access Point Manual Troubleshooting e The prism interface does not show up under the interfaces list Obtain the required license for 2 4GHz wireless feature e The access list has entries restricting the registration but the node is still registered Set some parameter of the prism interface to get all nodes re register e The wireless card does not register to the AP Check the cabling and antenna alignment Wireless Network Applications Three possible wireless network configurations are discussed in the following examples e Wireless Client e Wireless Access Point e Wireless Bridge Wireless Client Let us consider the following point to multipoint network setup with CISCO Aironet Wireless Access Point as a base station and MikroTik Wireless Router as a client Wireless e Accesspoint ye Internet ssid mt frequency 2442 A teret address 10 0 0 250 24 Gateway 10 0 0 1 2 4GHz Wireless Network 11Mbps A 10 0 0 0 24 interface prism1 ssid1 mt Wireless Router 1 mode station MikroTik address 10 0 0 217 24 o MP interface ether address 192 168 0 254 24 Local Network 192 168 0 0 24 NO D z de Workstation Laptop 192 168 0 1 192 168 0 2 The access point is connected to the wired network s HUB and has IP address from the network 10 0 0 0 24 The minimum configuration required for the AP is 1 S
31. Similarly if additional license is required to enable the functionality of a software package the license should be obtained for the Software ID of your system The new key should be entered using the system license set key command and the router should be rebooted afterwards admin MikroTik ip firewall src nat gt system license print software id SB5T R8T key 3YIY ZV8 DH2 upgradable unitl may 01 2003 admin MikroTik system license gt feature print Flags X disabled FEATURE O X AP 1 X synchronous 2 X radiolan 3 X wireless 2 4gHz 4 licensed admin MikroTik system license gt set key D45G IJ6 QM3 admin MikroTik system license gt system reboot Reboot yes y Nl y system will reboot shortly If there is no appropriate license the appropriate interfaces wont show up under the interface list even though the packages can be installed on the MikroTik RouterOS and corresponding drivers loaded MikroTik RouterOS V2 6 Reference Manual 7 Navigating the Terminal Console After logging into the router you will be presented with the MikroTik RouterOS Welcome Screen and command prompt for example M MM KKK KKK MMM MMMM KKK KKK MM MMMM MMM III KKK KKK RRRRRR 000000 III KKK KKK M MM MM III KKKKK RRR RRR 000 OOO III KKKKK M MM III KKK KKK RRRRRR 000 O00 III KKK KKK M MM III KKK KKK RRR RRR 000000 III KKK KKK be
32. The package can be downloaded from MikroTik s web page www mikrotik com To install the package please upload one to the router with ftp and reboot RIP Routing Setup RIP general settings are under the routing rip menu admin MikroTik routing rip gt RIP is interior gateway protocol based on distance vector algorithm Route which has the smallest number of hops gateways to destination is used RIP is described in RFC1058 and RIPv2 in RFC2453 interface RIP interface settings neighbor route network print Show RIP settings get get value of property set Change RIP settings export Export RIP settings admin MikroTik routing rip gt print redistribute static no redistribute connected no redistribute ospf no redistribute bgp no MikroTik RouterOS V2 6 Reference Manual 353 Routing Information Protocol RIP metric static 1 metric connected 1 metric osptf 1 metric bgp 1 update timer 30s timeout timer 3m garbage timer 2m fadmin MikroTik Argument description routing rip gt e redistribute static redistribution of static routes to neighbor routers e redistribute connected redistribution of connected routes to neighbor routers e redistribute ospf redistribution of routes learned by OSPF to neighbor routers e redistribute bgp redistribution of routes learned by BGP to neighbor routers e metric static metric the distance to the destination for static routes e
33. These rules can be used with real physical receiving transmitting interfaces as well as with bridge interface that simply groups bridged interfaces More information about firewall building can be found in Firewall Filters and Network Address Translation NAT manual Additional Bridge Firewall Resources Links for Bridge Firewall documentation http users pandora be bart de schuymer ebtables br_fw_ia br_fw_ia html Troubleshooting e After I configure the bridge there is no ping response from hosts on bridged networks It may take up to 20 30s for bridge to learn addresses and start responding e When I do a Bridge between the Ethernet and Wireless Interface I lost the network connection to the router via Ethernet When network interface is assigned to a bridge its ip address should be set on the bridge interface as well Leaving IP address on a bridged interface has no sense el have added a bridge interface but no IP traffic is passed You should include arp in forwarded protocols list e g forward protocols ip arp other Copyright 1999 2002 MikroTik MikroTik RouterOS V2 6 Reference Manual 84 CISCO Aironet 2 4GHz 11Mbps Wireless Interface Document revision 16 Sep 2002 This document applies to the MikroTik RouterOS V2 6 Overview The MikroTik RouterOS supports the following CISCO Aironet 2 4GHz Wireless ISA PCI PC Adapter hardware e Aironet ISA PCI PC4800 2 4GHz DS 11Mbps Wireless LAN Adapters 100m
34. Type of the media V24 V35 X21 mtu Maximum Transmit Unit 68 1500 bytes Default value is 1500 bytes name New interface name You can monitor the status of the synchronous interface admin MikroTik interface farsync gt monitor 0 card type T2P FarSync T Series state running firmware id 2 firmware version 0 7 0 physical media V35 cable detected clock not detected input signals CTS output signals RTS DTR admin MikroTik interface farsync gt Troubleshooting e The farsync interface does not show up under the interface list Obtain the required license for synchronous feature MikroTik RouterOS V2 6 Reference Manual 109 FarSync X 21 Interface e The synchronous link does not work Check the cabling and the line between the modems Read the modem manual MikroTik RouterOS V2 6 Reference Manual 110 Synchronous Link Applications One possible synchronous line configurations is discussed in the following example e MikroTik Router to MikroTik Router MikroTik Router to MikroTik Router Let us consider the following network setup with two MikroTik Routers connected to a leased line with baseband modems Internet interface Public address 10 1 1 12 24 interface fsync address 1 1 1 2 32 Ys MikroTik Baseband Modern Baseband Modem MikroTik V3 eee m interface farsync1 address 1 1 1 1 32 interface ether2 address 10 0 0 254 24 om 10 0 0 0 24 interfac
35. Use authentication for disabling unwanted bandwidth wasting Note that remote router must be MikroTik router in order to run the test MikroTik RouterOS V2 6 Reference Manual 403 Bandwidth Test session print get get value of property set export admin MikroTik tool gt bandwidth server print enabled yes authenticate no allocate udp ports from 2000 max sessions 10 fadmin MikroTik tool gt Setting description enable enable client connections for bandwidth test authenticate communicate only with authenticated by valid username and password clients allocate udp ports from allocate UDP ports from max sessions maximal number of bandwidth test clients The list of current connections can be get in session submenu admineMikroTik tool gt bandwidth server session print print values of item properties remov remove item admin MikroTik tool gt bandwidth server session print FRO PROTOCOL DIRECTION USER 0 10 0 0 202 tcp send admineMikroTik tool gt Bandwidth Test Client Configuration Bandwidth Test uses TCP or UDP protocol for test The test tries to use maximum or partial amount of bandwidth to test link speed Be aware that default test uses all available bandwidth and may impact network usability admineMikroTik tool gt bandwidth test Run TCP or UDP bandwidth test Tries to use maximum or partial amount of bandwidth to test link speed Note that
36. V2 6 Reference Manual 255 IPsec Document revision 30 Dec 2002 This document applies to the MikroTik RouterOS V2 6 Overview IPsec IP Security supports secure encrypted communications over IP networks Contents of the Manual The following topics are covered in this manual e Installation e Hardware Resource Usage e How IPsec Works Encryption Decryption Internet Key Exchange IKE Traffic e Psec Setup Policy Settings 4 Peer 4 Pre shared secret 4 Manual SA Proposal Installed SA 4 Counters e Application examples IPsec setup between two RourerOS routers IPsec Setup for Routing Between two Masquerading MikroTik Routers IPsec Setup Between MikroTik and CISCO Routers 0 Configuring RouterOS 0 Configuring Cisco 0 Testing IPsec setup between RouterOS router and Windows SonicWall Client 0 Configuring RouterOS 0 Configuring SonicWALL 0 Testing Installation Please download the ipsec 2 6 x npk package from the MikroTik s web site upload the package to the router and reboot Note that you cannot install IPsec package without SSH installed Use the system package print command to see the list of installed packages MikroTik RouterOS V2 6 Reference Manual 256 IPsec Hardware Resource Usage IPsec consumes a lot of CPU time so it needs powerful processor Intel Penttum MMX or AMD K6 suggested as minimal configuration How IPsec Works Encryption After packet is src na
37. When connecting to the MikroTik router via http TCP port 80 the router s Welcome Page is displayed in the web browser for example MikroTik RouterOS V2 6 Reference Manual 11 Accessing the Router Remotely Using Web Browser and WinBox Console x MikroTik RouterOS Managing Webpage Microsoft Internet Explorer Se E Vow fyvctine fede Hop oe 3 a 2 4 3 8 Back Frater Stop Refresh Home Search Favorites History Mal MikroTik RouterOS 2 6 Controlling Web Page 1 MikroTik WinBox Console Download and run the RouterOS GUI client WinBox has optional command line arguments winbox lt address gt lt login gt lt password gt a RouterOS Terminal Console Telnet to the router and use the ASCII Terminal Console P MikroTik RouterOS Reference Manual Reference Manual is available on the router Additional documentation is available at http www mikrotik com documentation html MIKROTIK ROUTER SOFTWARE END USER LICENCE AGREEMENT Copyright 1999 2000 2001 2002 MikroTik http www mikrotik coms MikroTik is a trademark of SIA MikroTikls By clicking on the Winbox Console link you can start the winbox exe download Choose the option Run this program from its current location and click OK MikroTik RouterOS V2 6 Reference Manual 12 Accessing the Router Remotely Using Web Browser and WinBox Console File Download x You have chosen to download a file from this location winbox exe
38. address either address or pool Assigns an individual address to the PPP Server remote address either address or pool Assigns an individual address to the PPP Client session timeout The maximum time the connection can stay up When set to 0 there is no timeout idle timeout The link will be terminated if there is no activity with in the time set in seconds When set to 0 there is no timeout use compression defines whether compress traffic or not use vj compression use Van Jacobson header compression use encryption defines whether encrypt traffic or not require encryption defines whether require encryption from the client or simply prefer 1t MikroTik RouterOS V2 6 Reference Manual 147 General Point to Point Settings only one allow only one connection at a time tx bit rate Transmit bitrate in bits s rx bit rate Receive bitrate in bits s incoming filter Firewall chain name for incoming packets If not empty for each packet coming from client this firewall chain will get control outgoing filter Firewall chain name for outgoing packets If not empty for each packet coming to client this firewall chain will get control Note that filter rules jumping to the specified firewall chain are added automatically to the ppp firewall chain This means that you should create ppp chain and pass some or all the packets to it in order to get filtering
39. admin MikroTik gt system resource io print PORT RANGE OWNER 20 3F APIC 40 5F timer 60 6F keyboard 80 8F DMA AO BF APIC CO DF DMA FO FF FPU 1F0 1F7 IDE 1 2F8 2FF serial port 3C0 3DF VGA 3F6 3F6 IDE 1 3F8 3FF serial port CF8 CFF PCI conf1 EEOO EEFE Realtek Semiconductor Co Ltd RTL 8139 EEOO EEFE 8139to0 EF80 EFFE Cyclades Corporation PC300 TE 1 EF80 EFFE PLX Registers FCOO FC7F Cyrix Corporation 5530 IDE Kahlua FCOO FCO7 IDE 1 FCO8 FCOF IDE 2 fadmin MikroTik gt MikroTik RouterOS V2 6 Reference Manual 95 Cyclades PC300 PCI Adapters Installing the Synchronous Adapter You can install up to four Cyclades PC300 PCI Adapters in one PC box if you have so many adapter slots and IRQs available Check the system BIOS settings for peripheral devices like Parallel or Serial communication ports Disable them 1f you plan to use IRQ s assigned to them by the BIOS The Cyclades PC300 PCI Adapter should be recognized by your motherboard automatically and appear on the list of PCI devices as Simple COMM Controller with the IRQ assigned to it Loading the Driver for the Cyclades PC300 PCI Adapter The driver for the Cyclades PC300 PCI Adapter is loaded automatically at the system startup You can check if the driver has bean loaded by issuing the following command admin MikroTik gt driver print Flags I invalid D dynamic DRIVER IRQ IO MEMORY ISDN PROTOCOL 0 D Cyclades 1 D RealTek 8139
40. and configure it so that your real proxy is parent proxy In this situation your real proxy does not have to be transparent any more as proxy on router will be transparent and will forward proxy style requests according to standard these requests include all necessary information about web server to real proxy Connection Tracking Connections through the router and their states can be monitored at ip firewall connection for example admin MikroTik ip firewall connection gt print Flags U unreplied A assured SRC ADDRESS DST ADDRESS PR ICP STATE TIMEOUT 0 A 10 5 91 205 1361 VOD 233322 tcp established 4d23h59m55s 1 A 10 5 91 205 1389 OA tcp established 4d23h59m21s 2 A OOO 20521373 10 5 91 254 3986 tcp established 4d23h59m56s MikroTik RouterOS V2 6 Reference Manual 225 Firewall Filters and Network Address Translation NAT SAO 91 20541347 1591487 LIZ S23 tcp established 4d23h35m14s 4 A 80 232 241 3 1514 159 148 172 204 1723 tcp established 4d23h59m53s 5 159 148 172 204 80 232 241 3 47 9m21s admin MikroTik ip firewall connection gt Connection timeouts are as follows e TCP SYN sent First stage in establishing a connection 2min e TCP SYN recvd Second stage in establishing a connection 60sec e Established TCP connections Third stage 5 days e TCP FIN wait connection termination 2min e TCP TIME wait connection termination 2min e TCP CLOSE remote party sends RTS
41. disabled SRC ADDRESS DST ADDRESS DST PORT URL ACTION 0 0 0 0 0 0 0 0 0 0 0 0 65535 mp3 deny 1 10 0 0 1 32 0 0 0 0 0 0 65535 allow 2 0 0 0 0 0 0 0 0 0 0 0 65535 ftp deny 3 10 0 0 0 24 10 9 9 128 28 0 65535 allow 4 0 0 0 0 0 0 0 0 0 0 0 65535 deny admin MikroTik ip web proxy access gt Argument description src address source address of the request dst address destination address of the request dst port destination port of the request url the URL of the request Can be regular expression action action to take allow deny Access list shown above disables access to any mp3 files for everyone Local gateway 10 0 0 1 has access to everything else excluding mp3 files All other local network 10 0 0 0 24 users have access to servers located at 10 9 9 128 28 but ftp protocol is not allowed for them Any other request is denied Details about regular expressions used in url field can be found here http www cs utah edu dept old texinfo regex regex_toc html Security Notice If you have web proxy running someone is probably using you as a relay You have to use access rules in the web proxy setting denying all IP addresses except those behind the router Also consult examples in Firewall Manual on how to protect your router Direct Access List MikroTik RouterOS V2 6 Reference Manual 318 WEB Proxy If parent proxy is specified it is possible to tell proxy server whether to try t
42. e monitor commands that have do argument See details below Introducing variable has no effect on other scripts that may be running It just tells the current script what variable names can be used and where to get their values After variable is no longer needed it s name can be freed by unset command If you free local variable it s value is lost If you free global variable it s value is still kept in router it just becomes inaccessible from current script MikroTik RouterOS V2 6 Reference Manual 37 Scripting Manual Changing variable values You can assign new value to variable using set command It has two unnamed arguments First is name of variable Second is the new value of variable admin MikroTik gt local counter admin MikroTik gt set counter 0 admin MikroTik gt put counter P E 0 admin MikroTik gt set counter counter 1 admin MikroTik gt put counter Bp admin MikroTik gt Because increasing or decreasing variable s value by one is such a common case there are two commands that do just that incr increases value of variable by 1 and decr decreases it by 1 incr counter put Scounter fadmin MikroTik fadmin MikroTik 2 admineMikroTik gt gt gt Variable must contain integer number value otherwise these commands will fail Command substitution return values Some console commands are most useful if their output can be u
43. enabled yes port seriall off line time 5m min run time 5m alarm setting immediate rtc alarm setting immediate model Back UPS Pro 420 version 11 4 1 serial number NB9941252992 manufacture date 10 08 99 nominal battery voltage 12 admin MikroTik system ups gt Runtime Calibration Command name system ups run time calibration Description The run time calibration command causes the UPS to start a run time calibration until less than 25 of full battery capacity is reached This command calibrates the returned run time value MikroTik RouterOS V2 6 Reference Manual 397 UPS Monitor Notes The test begins only if battery capacity is 100 Example MikroTik system ups gt run time calibration UPS Monitoring Command name system ups monitor Property Description on line yes no whether power is being provided by the external utility power company on battery yes no whether UPS battery is supplying power transfer cause only shown when the unit is on battery the reason for the most recent transfer to on battery operation unacceptable utility voltage rate of change detection of high utility voltage detection of low utility voltage detection of a line voltage notch or spike transfer in response to battery test or run time calibration low battery Only shown when the UPS report this status replace battery Only shown when the UPS report this
44. except for mangle go on to the next one Acts the same way as a disabled rule except for ability to count and mangle packets e reject Reject the packet and send an ICMP reject message e return Return to the previous chain from where the jump took place e passthrough MANGLE only mark the packet for further processing against some rule and go on processing the next rule e masquerade SRC NAT only Use masquerading for the packet and substitute the source MikroTik RouterOS V2 6 Reference Manual 220 Firewall Filters and Network Address Translation NAT address port of the packet with the ones of the router In this case the to src address argument value is not taken into account and it does not need to be specified since the router s local address 1s used e redirect DST NAT only redirects to the local address port of the router In this case the to dst address argument value is not taken into account and it does not need to be specified since the router s local address is used e nat SRC NAT and DST NAT only Perform Network Address Translation For source NAT the to src address should be specified not required with action masquerade For destination NAT the to dst address should be specified not required with action redirect Logging the Firewall Actions To enable logging of the firewall actions you should set the value of the rule argument log to yes Also the logging facilit
45. from is used then it is possible to export only specified items The export does not descend recursively through the command hierarchy export also has the argument file which allows you to save the script in a file on the router to retrieve it later via ftp The root level command import file_name restores the exported information from the specified file This is used to restore configuration or part of it after a system reset event or anything that causes configuration data loss Export and Import Examples admin MikroTik ip address gt print Flags X disabled I invalid D dynamic ADDRESS NETWORK BROADCAST INTERFACE 0 10 5 5 244 24 10 5 5 244 10535255 etherl MikroTik RouterOS V2 6 Reference Manual 364 Export and Import 1 10 5 5 245 32 1055734245 10s 53g ether1 2 10 5 5 246 32 10 5 5 246 1000246 etherl admin MikroTik ip address gt To make an export file use the following command admin MikroTik ip address gt export file address admin MikroTik ip address gt To make an export file from only one item use the following command admin MikroTik ip address gt export file addressl from 1 admin MikroTik ip address gt To see the files stored on the router use the following command admin MikroTik gt file print NAME TYPE SIZE CREATION TIME 0 addressl rsc script 128 mar 26 2002 16 00 13 1 address rsc script 354 mar 26 2002 15 48 57 admin MikroTik file
46. masquerading rule then the router opens a connection to the destination and sends out a modified packet with its own address and a port allocated for this connection The router keeps track about masqueraded connections and performs the demasquerading of packets which arrive for the opened connections For filtering purposes you may want to specify the to src ports argument value say to 60000 65535 If you want to change the source address port to specific adress port use the action nat instead of action masquerade admib MikroTik ip firewall src nat gt add src address 192 168 0 1 32 out interface etherl action nat to src address 10 0 0 217 admin MikroTik ip firewall src nat gt print Flags X disabled I invalid 0 src address 192 168 0 1 32 0 65535 dst address 0 0 0 0 0 0 65535 out interface etherl protocol all icmp options any any flow limit count 0 limit burst 0 limit time 0s action nat to src address 10 0 0 217 to src port 0 65535 admineMikroTik ip firewall src nat gt Here the src address can be IP host s address for example 192 168 0 1 32 or network address 192 168 0 0 24 to src address can be one address or a range say 10 0 0 217 10 0 0 219 The addresses should be added to the router s interface or should be routed to it from the gateway router The source nat can masquerade several private networks and use individual to src address for each of them MikroTi
47. print NETWORK O 159 148 150 192 27 admineMikroTik routing bgp network gt Here the network argument is used to specify the network mask to advertise You can add to the list as many networks as required Also you can use 0 0 0 0 0 to advertise all networks Note that the OSPF uses network list for different purpose to determine where to send updates BGP Peers You need to specify the BGP peer with whom you want to exchange the routing information The BGP exchanges routing information only if it can establish a TCP connection to its peer You can add as many peers as required for example admin MikroTik routing bgp peer gt add remote address 192 168 0 254 remote as 217 admin MikroTik routing bgp peer gt print REMOTE ADDRESS REMOTE AS MULTIHOP ROUTE REFLECT PREFIX LIS PREFIX LI O 192 168 0 254 217 no no none none admin MikroTik routing bgp gt peer print status REMOTE ADDRESS REMOTE AS STATE ROUTES RECEIVED 0 192 168 0 254 217 connected 1 admin MikroTik routing bgp gt Argument description remote address address of the remote peer remote as AS number of the remote peer multihop if set to yes allows BGP sessions even when the neighbor is not on a directly connected segment The multihop session is not established if the only route to the multi hop peer s address is the default ro
48. put 10 0 0 15 0 0 10 0 ERROR cannot add ip address to ip address admin MikroTik interface gt put 10 0 0 15 10 10 0 0 25 MikroTik RouterOS V2 6 Reference Manual 39 Scripting Manual fadmin MikroTik e difference interface gt Subtract one number from another one time value from another Subtracting a number from IP address gives IP address Subtracting one IP address from another gives number admin MikroTik interface gt put 10 0 0 25 admin MikroTik interface gt put 12 admin MikroTik interface gt put 10 0 0 3 admin MikroTik interface gt put 14h5 m58s admin MikroTik interface gt e multiplication 10 0 0 15 10 10 0 0 15 10 0 0 3 10 00 L 22 LA gt 25 Multiply two numbers or multiply a time value by a number admin MikroTik interface gt put 48s admin MikroTik interface gt put 10 admineMikroTik interface gt e division 12s 4 5 2 Divide one number by another gives an integer or a time value by a number gives time value fadmin MikroTik 35333 333ms fadmin MikroTik 2 admin MikroTik e lt less gt more lt less or equal gt more or equal interface gt put interface gt put interface gt 10s 3 5 2 Compare two numbers two time values or two IP addresses Gives truth value admin MikroTik interface gt put fa
49. should be configured Static users may be added as follows fadmin MikroTik copy from interfac item number pptp server gt add creates new item with specified property values MikroTik RouterOS V2 6 Reference Manual 167 Point to Point Tunnel Protocol PPTP disabled nam New interface nam user admin MikroTik interface pptp server gt add user exl admin MikroTik interface pptp server gt print Flags X disabled D dynamic R running NAME USER MTU CLIENT ADDRESS UPTIME ENC O DR lt pptp ex gt ex 1460 10 0 0 202 6m32s none al pptp inl exl admin MikroTik interface pptp server gt Note that in both cases P2P users must be configured properly Description of the printout name interface name user the name of the user that is configured statically or added dynamically mtu shows cannot be set here client s MTU client address shows cannot be set here the IP of the connected client uptime shows how long the client is connected encryption shows cannot be set here what encryption algorithm is used for the link If the PPTP server is configured properly and it has established connections with the clients you can 1 See the list of connected clients using the interface pptp server print command 2 See the pptp in interfaces under the interface print list 3 See the dynamic IP addresses under the ip address print list 4 S
50. ssccssssscccsssssccssssccssssccscssssccesssccccensccscssssccessssceccssses 22 Terminal Console Manallyssicscce2sdssecsiscsevesstaccbestececc bacedcsbascebslaseactesustetasuscedesescecedstecvedatecusodeccecosesecvedsuevctdesseses 23 ONCE Ma ear OR EAS E EES pA Li eR Abbe 23 Contents ofthe Mantial ziion aoa e a aa E E EEES E NEN Ea 23 Overview of Common FUNCTIONS r E e a eE TEE aE EE eE ERORE EE o E aT e 23 Dada ida EAEE 24 A hd we Gtacete rhea ted nate ctcactnv veda tacadasaetedcts ae as Gan a AA A SERA 25 QUICK Ty pings Ait sais eee aie ae esi eee al Gen ei aia an Gmina 25 He 0 ait 27 Internal Item numbers eee ade eae an eea Nodesve dase ata an da dd decleels csi 27 Multiple tems ri it AA e RT EE E aiii 27 General COmMANGsS ye isa ena 27 A ed osar ees CoE roris Prr es eves Keso oos kesoi 32 DL A A A A A TN 32 Contents of the Mandala A AA ic 32 SS NN 32 MikroTik RouterOS V2 6 Reference Manual MikroTik RouterOS V2 6 Reference Manual Table of Contents Scripting Manual Network Watching Fools einen e ea eane aeaea en a a AEE E RE A Aa A ida eener 33 Writing Serp Sa aaaea et nA S rE E A T EEE se a agi A ee 35 Console scripting introduction snesen e a opre ien A Aa E E E aT 35 COMMON A AAA AAA A E E AA did 35 Grouping level commands ss vesacceisc iei E dea E AA vase E AA E 36 Mara DIES anni tar ini T 37 Changing Variable A O beets ees aaeees 38 Command substitution return Values ccccccncnoninnnnnnnnnnnnana
51. then gatekeeper voip and numbers tables will look as follows admin MikroTik ip telephony voice port voip gt print Flags X disabled D dynamic R registered NAME AUTODIAL REMOTE ADDRESS JITTER BUFFER PREFERED CODEC SIL FAS 0 ESE22 0 10 0 0 101 Os none no yes 1 D local 127 40 0 1 100ms none no yes MikroTik RouterOS V2 6 Reference Manual 290 IP Telephony Lo DATO O cc 10 0 0 100 100ms none no yes admin MikroTik ip telephony numbers gt print Flags I invalid X disabled D dynamic R registered DST PATTERN VOICE PORT PREFIX 0 78 linejackl 1 Bik as vetxl 2 33 voipl 3 Desc voipl 4 XD 78 local 78 5 XD 3 local 3 6 D 76 10 0 0 100 76 7 D 77 10 0 0 100 77 8 D 1 10 0 0 100 1 Here we can see how aliases and prefixes are added to numbers table Entries 0 3 are static Entries 4 and 5 are added by registering local endpoint to local gatekeeper Entries 6 8 are added by registering endpoint with IP address 10 0 0 100 to local gatekeeper For prefixes _ is added at the end of dst pattern to allow any additional digits to be added at the end Local endpoint is registered to local gatekeeper too So local aliases and prefixes are added as dynamic numbers too Only as they are local and corresponding number entries already exists in number table then these dynamically added entries are disabled by default If any registered telephone n
52. 0 admin MikroTik system script gt scheduler admin MikroTik system scheduler gt add interval 7d name email backup script e backup admin MikroTik system scheduler gt print Flags X disabled NAME SCRIPT START DATE START TIME INTERVAL RUN COUNT 0 email e backup oct 30 2008 15 19 28 Td 1 admin MikroTik system scheduler gt MikroTik RouterOS V2 6 Reference Manual 391 System Scheduler Manual Do not forget to set the e mail settings i e the SMTP server and From address under tool e mail For example admin MikroTik tool e mail gt set server 159 148 147 198 from SysAdmin host com admin MikroTik tool e mail gt print server 159 148 147 198 from SysAdmin host com fadmin MikroTik tool e mail gt If more than one script has to be executed at one time they are executed in the order they appear in the scheduler configuration This can be important if for example one scheduled script is used to disable another The order of scripts can be changed with the move command If a more complex execution pattern is needed it can usually be done by scheduling several scripts and making them enable and disable each other Example below will put x in logs each hour from midnight till noon admin MikroTik system script gt add name enable x source system scheduler enable x admin MikroTik system script gt add name disable x source system
53. 0 current local count 0 current forwarding count 0 admin MT_Prism_AP interface prism gt The list of registered clients looks like follows admin MT_Prism_AP interface prism gt registration table print INTERFACE MAC ADDRESS TYPE PARENT O prisml 00 07 EB 30 E7 DA client 1 prisml 00 02 6F 01 5D FE client admin MT_Prism_AP interface prism gt There are two possible ways of implementing the wireless access point feature MikroTik RouterOS V2 6 Reference Manual 185 Prismll Wireless Client and Wireless Access Point Manual e Use it as a pure access point with bridging function enabled between the ethernet and prism interfaces The IP address can be assigned to the bridge interface e Use it as a wireless access point router with routing functionality between the ethernet and prism interfaces It requires different IP addresses assigned to both the Ethernet and prism interfaces The addresses should be from different networks as well To enable bridging between the ethernet and prism interfaces do the following 1 Add bridge interface with the desired forwarded protocols admineMT_Prism_AP admineMT_Prism_AP Flags 0 X interface bridge gt add forward protocols ip arp other interface bridge gt print X disabled R running name bridgel mtu 1500 arp enabled mac address 00 00 00 00 00 00 forward protocols ip arp other priority 1 admineMT_Prism_AP interfa
54. 09 2002 20 25 31 no MikroTik RouterOS V2 6 Reference Manual 129 MOXA C101 Synchronous Interface 6 advanced tools 2 6beta4 aug 09 2002 20 53 37 no 7 cyclades 2 6beta4 aug 09 2002 20 52 00 no 8 framerelay 2 6beta4 aug 09 2002 20 52 09 no fadmin MikroTik gt Software License The MOXA C101 Synchronous Adapter requires the Synchronous Feature License One license is for one installation of the MikroTik RouterOS disregarding how many cards are installed in one PC box The Synchronous Feature is not included in the Free Demo or Basic Software License The Synchronous Feature cannot be obtained for the Free Demo License It can be obtained only together with the Basic Software License System Resource Usage Before installing the synchronous adapter please check the availability of free IRQ s admin MikroTik gt system resource irq print Flags U unused IRQ OWNER 1 keyboard 2 APIC 3 4 serial port U 5 U 6 U 7 U 8 9 etherl U 10 11 ether2 U 12 U 13 14 IDE 1 fadmin MikroTik gt Installing the Synchronous Adapter You can install up to four MOXA C101 synchronous cards in one PC box if you have so many slots and IRQs available For ISA variant the basic installation steps should be as follows 1 Check the system BIOS settings for peripheral devices like Parallel or Serial Communication ports Disable them if you plan to use IRQ s assigned to them by the BIOS 2 Set the jumper of the IRQ to one
55. 10 Accessing the Router Remotely Using Web Browser and WinBox Console The MikroTik router can be accessed remotely using e the telnet protocol for example using the telnet client of your Windows or Unix workstation Working with the telnet console is the same as working with the monitor and keyboard attached to the router locally e the ftp for uploading the software upgrade packages or retrieving the exported configuration files e the http and WinBox Console for example using the web browser of your workstation Overview The Winbox Console is used for accessing the MikroTik Router configuration and management features using graphical user interface All Winbox interface functions are as close as possible to Console functions all Winbox functions are exactly in the same place in Terminal Console and vice versa except functions that are not implemented in Winbox That is why there are no Winbox sections in the manual The Winbox Console plugin loader the winbox exe program can be retrieved from the MikroTik router the URL is http router_address winbox winbox exe Use any web browser on Windows 95 98 ME NT4 0 2000 XP to retrieve the router s web page with the mentioned link The winbox plugins are cached on the local disk for each MikroTik RouterOS version The plugins are not downloaded if they are in the cache and the router has not been upgraded since the last time it has been accessed Starting the Winbox Console
56. 1813 5m admin MikroTik ip hotspot radius client gt All parameters are the same as for ppp ppp radius client accounting enable or disable RADIUS accounting accounting port IP port on RADIUS server for accounting authentication port IP port on RADIUS server for authentication enabled defines whether RADIUS client is enabled interim update Interim Update time interval primary server IP address of primary RADIUS server secondary server IP address of secondary RADIUS server shared secret shared secret of RADIUS server RADIUS Parameters Authentication data sent to server Access Request NAS Identifier NAS Port Type Calling Station Id Called Station Id NAS Port Id User Name CHAP Password CHAP Challenge router identity for HotSpot is Ethernet client MAC address with CAPITAL letters Hotspot server name from version 2 6 9 Hotspot server name client login name encrypted password and challenge Data received from server Access Accept Framed IP Address Framed Pool Idle Timeout Session Timeout Framed Route Filter Id IP address given to client If address is 255 255 255 254 IP pool is used from hotspot settings If Framed IP Address is specified Framed Pool is ignored IP pool name on the router from which to get IP address for the client idle timeout parameter session timeout parameter routes to add on the server Format is specified i
57. 1813 interim update Os admin MikroTik ppp radius client gt Description of the output enabled yes no Status of RADIUS client accounting yes no Status of RADIUS accounting primary server Primary RADIUS server secondary server Secondary RADIUS server shared secret corresponding text string from RADIUS server accounting port accounting port authentication port default port 1645 according to RFC interim update defines time interval between communications with the router If this time will exceed RADIUS server will assume that this connection is down This value is suggested to be not less than 3 minutes RADIUS Client Monitor The RADIUS client can be monitored using monitor command for example admin MikroTik ppp radius client gt monitor pending 0 requests accepts rejects bad replies last request rtt D OO e admin MikroTik ppp radius client gt Counters can be reset using the reset counters command Similar monitor is for HotSpot Radius client as well RADIUS Parameters Authentication data sent to server Access Request Service Type always is Framed Framed Protocol always is PPP NAS Identifier router identity NAS Port Type Async for async PPP Virtual for PPTP Ethernet for PPPoE ISDN Sync for ISDN Calling Station Id client MAC address with CAPITAL letters for PPPoE client public IP address for PPTP Called Stati
58. 20s up script e up down script e up MikroTik tool netwatch gt print detail Flags X disabled 0 host 10 0 0 215 timeout 998ms interval 20s since mar 22 2002 14 07 36 status up up script e up down script e up MikroTik tool netwatch gt Writing Scripts Console scripting introduction Although 2 6 console syntax has many changes from previous versions most users will not notice any differences However if you are using scripting capabilities of RouterOS it is recommended to read this section even if you have some experience with previous console versions This is more an introductory text less a reference It freely uses commands and concepts before explaining them to make it as short simple and comprehensive as possible It might be necessary to read it several times Many examples are given because it is the best way to explain most things Command Console commands in 2 6 are made from the following parts PREFIX PATH PATH_ARGUMENT COMMAND NAMELESS_ARGUMENTS ARGUMENTS first few examples ping 10 0 0 13 count 5 PREFIX COMMAND ping NAMELESS_ARGUMENTS 10 0 0 13 ARGUMENTS count 5 p p firewall rule input PATH ip firewall rule PATH_ARGUMENT input for i from 1 to 10 do put i PREFIX COMMAND for NAMELESS_ARGUMENTS i ARGUMENTS from 1 to 10 do put i interface monitor traffic etherl
59. 255 etherl 2 1 1 1 1 32 iZ 255 255 255 255 wan admin MikroTik ip address gt ping 1 1 1 2 1 1 1 2 64 byte pong tt1 255 time 31 ms 1 1 1 2 64 byte pong tt1l 255 time 26 ms 1 1 1 2 64 byte pong tt1l 255 time 26 ms 3 packets transmitted 3 packets received 0 packet loss round trip min avg max 26 27 6 31 ms admin MikroTik ip address gt Note that for the point to point link the network mask is set to 32 bits the argument network is set to the IP address of the other end and the broadcast address is set to 255 255 255 255 The default route should be set to the gateway router 1 1 1 2 admin MikroTik ip route gt add gateway 1 1 1 2 interface wan admin MikroTik ip route gt print Flags X disabled I invalid D dynamic J rejected connect S static R rip O ospf B bgp DST ADDRESS G GATEWAY DISTANCE INTERFACE 0 S 0 0 0 0 0 scam Ree er MESS 1 wan MikroTik RouterOS V2 6 Reference Manual 142 MOXA C502 Synchronous Interface 1 DC 10 0 0 0 24 r 10 0 0 254 1 ether2 2 DC 192 168 0 0 24 r 192 168 0 254 0 etherl SDE Lid 2732 r 0 0 0 0 0 wan admin MikroTik ip route gt The configuration of the Mikrotik router at the other end is similar admin MikroTik ip address gt add address 1 1 1 2 32 interface moxa network 1 1 1 1 broadcast 255 255 255 255 admin MikroTik ip address gt print Flags X disabled I invalid D dynamic
60. 32 80 protocol tcp icmp options any any flow src mac address 00 00 00 00 00 00 limit count 0 limit burst 0 limit time 0s action nat to dst address 192 168 0 4 to dst port 0 65535 admineMikroTik ip firewall dst nat gt Please consult the Firewall Manual for more information on NAT O Copyright 1999 2002 MikroTik MikroTik RouterOS V2 6 Reference Manual 21 MikroTik RouterOS V2 6 Reference Manual PDF version for printing Document revision 21 Jan 2003 This document applies to the MikroTik RouterOS V2 6 O Copyright 1999 2003 MikroTik MikroTik RouterOS V2 6 Reference Manual 22 Terminal Console Manual Document revision 29 Nov 2002 This document applies to the MikroTik RouterOS v2 6 Overview The Terminal Console is used for accessing the MikroTik Router configuration and management features using text terminals i e remote terminal clients as well as local monitor and keyboard The Terminal Console is used for writing scripts This manual describes the general console operation principles Please consult the Scripting Manual on some advanced console commands and on how to write scripts Contents of the Manual The following topics are covered in this manual e Overview of Common Functions Lists Item Names Quick Typing Help Multiple Items e General Commands Overview of Common Functions The console allows configuration of the router settings using text commands The comma
61. 368 How to Connect PowerTip LCD to a Parallel Port cece eecccessceeseeceeeeceeeeeceseeeaeeseaeeceaeeeeeeeees 368 Hardware Resource Usa EEA esta vioweas teen RERO E O EE E T E 369 Contfig ring the LEDS Setti gS peireira rae een ETna E E E eE EE EEEE EEEE OEEO 370 LCD Information Display Configuration 0 ccccecscecesceceeeceeseeeaeceeaeeceaeeceeeeeaeeeeaaeceeaeeeeneeenaees 370 CCD Troubleshooting iii a ds eaten ea eae 371 PEA O 372 OEI ronda IEA Tee E SRE O AO DRAE O NAL ERE TIEN E 372 Contents of th Mina ibas 372 Managing the License sennior e nd ai 372 Obtaining Additional License Features eccecccecsccessseceenceseececeeeesaeceeaaecseaeceeeeecaeeeaeceeaaeceaeeeeeeeees 373 LOG Mana ements ci 0655 seivecscsicssssstcceetecsnnstesdesedectssnnsstocsecssdsesvesosenscectesozocConsdacdseasecdecesessecaneceseesecesdssnss esesseoesss 374 ONCE A A Oa BRE REE 374 Insta latom AAA A NEE ETA PERLE SAUNT ATE beeen bebe 374 Hardware Resource Usage isc scdsectbed cei oks cesta ledasueccdutecteveb ins CU AA in AA ci cid 374 Log Management Descrip escencia cirio irse 374 Log Management Ex ampli o 375 Network Time Protocol NUP vicscsssciscessctssssccccssessceesavstecsess cesses ssacesesaceseussacesvscadersscadessscscesesssccesssecacesseceesers 377 DAU MA Wiis vs fee sedi N EE ERG A EEO BAERS 377 Contents of the Marmalade 377 NTEP Installation on the MikroTik RouterOS occccncncncncncocnononanananaananannonononnnnonononnnnnnonono
62. 4 For CISCO Aironet Bridges only Set Configuration Radio Extended Bridge mode access_point If you leave it to bridge_only it wont register clients 5 Setting the identity parameters Configuration Ident Inaddr Inmask and Gateway These are required if you want to access the AP remotely using telnet or http Reminder Please note that the AP is not a router It has just one network address and is just like any host on the network It resembles a wireless to Ethernet HUB or bridge The AP does not route the IP traffic There is no need to set up the routing table under Configuration Ident Routing The frequency argument does not have any meaning since the frequency of the AP is used The IP addresses assigned to the wireless interface should be from the network 10 1 1 0 24 e g admin MikroTik ip address gt add address 10 1 1 12 24 interface aironet admin MikroTik ip address gt print Flags X disabled I invalid D dynamic ADDRESS NETWORK BROADCAST INTERFACE MikroTik RouterOS V2 6 Reference Manual 90 CISCO Aironet 2 4GHz 11Mbps Wireless Interface 0 10 1 1 12 24 LO Ls L 0 10 Lo Leo 255 aironet 1 192 168 0 254 24 192 168 0 0 192 168 0 255 Local admin MikroTik ip address gt The default route should be set to the gateway router 10 1 1 254 not the AP 10 1 1 250 admin MikroTik ip route gt add gateway 10 1 1 254 admin MikroTik ip route gt print Flags X disabled I in
63. 59 Device Driver Management 5c sisiscssccstescccssstesescsssecsesnsossocsesesssnncsecosessusevessesecessnteseseesstecssbescesedesdaseetesssonsesseees 60 AA TN 60 Contents of the Mantal 5 3 2 s sdacccsabascsasteacaaseacdoaseecageasacagevsaecdoseas chee cosdedonss caste baded osbvadeeeabandsabandgsravacaser 60 Loading Device Dri Vers ir Ai Aia 60 Removing Device Drivers iii a EE Geta aden a ise ee aes 62 Notes on PEMCIA Adapters iii a is 62 LISTO DIV a ds e LAA A NT E E 62 ISA DI Cor ee nd rt aa dol do De PRA ic 62 AABE NAE cd R 62 Troubleshooting a e r e a Ee aE a ET aT aa E 64 General Interface Settings s 5siccccsscccscissesssarcncsesssveeconsecovadscsesessoncesondesenasenvecsouedessarseencosboescseiseoseassoeressnsessaesseuees 65 OVE T VIS Wi A A ETES NG A E 65 Contents ofthe Mama 9 i332 a a aa a a aea aa aA S a Aa a aaa a Ti 65 Interface SAUS ia EEE E AE E E N EE EN E EE E E Mees 65 Interface Specific Settings oiei iei e E E E DA A a a a i ein Een 66 Atheros 5GHz 54Mbps Wireless Interface sessecesecssecsccesccsscoecosesocesocesccssecesecsscesocesooesosssosesosesosssesssesssees 67 ON WA A AE E AE sil sebansbauacact 67 Eontents ot the Mania e a a aa a traia dro ta 67 Supported Network Roles iii iii aii ASA Saas asec eats et eee sete 67 Wireless Cl a 67 Wireless Access Polimodal di dd a ea aiii 68 NICE RR 68 Trista lati NOTA 68 BG Tea 1 Pre SR a a a a a a a r e a EEN 68 System Resource Usar iii EAEE EE AEE E E ENEE EN
64. AP feature license only the 2 4GHz Wireless license Thus it is possible to create point to point links and bridge networks over wireless links Installation The MikroTik Router should have the prism software package installed The software package file prism 2 6 x npk can be downloaded from MikroTik s web page www mikrotik com To install the package please upload the correct version file to the router and reboot Use BINARY mode ftp transfer After successful installation the package should be listed under the installed software packages list License The PrismII chipset based adapters like other 2 4GHz wireless adapters require the 2 4GHz wireless feature license One license is for one installation of the MikroTik RouterOS disregarding how many cards are installed in one PC box The wireless feature is not included in the Free Demo or Basic Software License The 2 4GHz Wireless Feature cannot be obtained for the Free Demo License It can be obtained only together with the Basic Software License Note The 2 4GHz Wireless Feature License enables only the station or bridge mode of the Prism II card To enable the ap bridge mode additionally the Wireless AP Feature License is required The MikroTik RouterOS supports as many PrismlI chipset based cards as many free resources are on your system i e IRQs and adapter slots but not more than 6 One license is valid for all cards on your system MikroTik RouterOS V2 6 Refere
65. Allow UDP connections src address 0 0 0 0 0 0 65535 in interface all dst address 0 0 0 0 0 0 65535 out interface all protocol udp icmp options any any tcp options any connection state any flow src mac address 00 00 00 00 00 00 limit count 0 limit burst 0 limit time 0s action accept log no 2 77 Allow ICMP messages src address 0 0 0 0 0 0 65535 in interface all dst address 0 0 0 0 0 0 65535 out interface all protocol icmp icmp options any any tcp options any connection state any flow src mac address 00 00 00 00 00 00 limit count 0 limit burst 0 limit time 0s action accept log no 3 77 Allow http connections to the server at 192 168 0 17 src address 0 0 0 0 0 0 65535 in interface all dst address 192 168 0 17 32 80 out interface all protocol tcp icmp options any any tcp options syn only connection state any flow src mac address 00 00 00 00 00 00 limit count 0 limit burst 0 limit time 0s action accept log no 4 jj Allow smtp connections to the server at 192 168 0 17 src address 0 0 0 0 0 0 65535 in interface all dst address 192 168 0 17 32 25 out interface all protocol tcp icmp options any any tcp options syn only connection state any flow src mac address 00 00 00 00 00 00 limit count 0 limit burst 0 limit time 0s action accept log no 5 55 Allow ftp data connections from servers on the Internet src address 0 0 0 0 0 20 in interface all dst address 0 0 0 0 0 1024 65535 out interface all protocol tcp icmp options any any tcp options syn onl
66. BFIFO Setting Default Queue Type for the Interface To change the default queue type for the interface use the queue interface set command e g admin MikroTik queue interface gt print INTERFACE QUEUE 0 etherl ethernet default 1 prisml default admin MikroTik queue interface gt set prisml queue wireless default admin MikroTik queue interface gt print INTERFACE QUEUE 0 etherl ethernet default MikroTik RouterOS V2 6 Reference Manual 325 Queues and Bandwidth Management 1 prisml wireless default admin MikroTik queue interface gt Configuring Queue Trees The queue trees should be used when you want to use sophisticated bandwidth allocation based on protocols ports groups of IP addresses etc If you have added a simple queue it is listed as dynamic one under the queue tree print e g admin MikroTik queue simple gt print Flags X disabled I invalid 0 name A_Simple src address 0 0 0 0 0 dst address 192 168 0 0 24 interface etherl limit at 128000 queue default priority 8 bounded yes admin MikroTik queue simple gt tree admin MikroTik queue tree gt print Flags X disabled I invalid D dynamic O D name A_Simple parent etherl flow limit at 128000 max burst 20 queue default priority 8 weight 1 allot 1514 bounded yes admin MikroTik queue tree gt Argument description name descriptive name for the queue
67. Basic System Resources System Resource Monitoring IR and IO Usage Monitor e Reboot and Shutdown e Configuration Reset e Router Identity e Date and Time Settings e Configuration Change History System Resource Monitor System Resource Monitor can be accessed under the system resource menu admin MikroTik system resource gt System resources monitor Monitor CPU and memory usage irq Interrupt Request usage information io Input Output ports usage information print Print basic system resources information get get value of property admin MikroTik system resource gt Basic System Resources Use the print command to view the basic system resource status admin MikroTik system resource gt print uptime 1d23h32m6s free memory 1112 kB total memory 29528 kB cpu WinChip cpu load 0 free hdd space 6400 kB total hdd space 46478 kB admin MikroTik system resource gt The argument values are self explanatory MikroTik RouterOS V2 6 Reference Manual 386 System Resource Management System Resource Monitoring The current system CPU usage and free memory can be viewed using the monitor command fadmin MikroTik cpu used free memory fadmin MikroTik system resource gt monitor 3 1112 system resource gt The values for cpu usage and free memory are in percentage and megabytes respectively IRQ and IO Usage Monitor The IRQ and IO addresses can be viewed using the irq print and io print c
68. Console 4 Overview 4 Starting the Winbox Console Overview of Common Functions Troubleshooting for Winbox Console e Configuring Basic Functions Working with Interfaces 0 Use of the setup Command Adding Addresses Configuring the Default Route Testing the Network Connectivity e Application Examples MikroTik RouterOS V2 6 Reference Manual 2 Introduction Application Example with Masquerading Application Example with Bandwidth Management Application Example with NAT MikroTik RouterOS V2 6 Reference Manual Setting up MikroTik RouterOS Downloading and Installing the MikroTik RouterOS The download and installation process of the MikroTik RouterOS is described in the following diagram www mikrotik com MikroTik Support Downloads Internet 1 preset les Router Console pos aon Monitor amp Keyboard ne for installing and initial setup iJ WinSS98 NT 2K Workstation eS 2 5 Create the Use the Installation Media 0 Installation Media to boot up the PC CD or Floppies and install the MikroTik Dedicated PC Router RouterOS software with MikroTik RouterOS 1 Download the basic installation archive file Depending on the desired media to be used for installing the MikroTik RouterOS please chose one of the following archive types for downloading e ISO image of the installation CD if you have a CD writer for creating CDs The ISO image is in the MTcdimage_v2 6 x_dd mmm
69. D scription io nidad 246 Example into lage 247 MikroTik RouterOS V2 6 Reference Manual x MikroTik RouterOS V2 6 Reference Manual Table of Contents IP Addresses and Address Resolution Protocol ARP ssscccssssscsssssssssssscccscsscccssssscecessccccsssscsessssseecess 249 ANA A TE NATA 249 Contents of the Maia A ade 249 Assigning IP Addr sseS AI ae lieth 249 Address Resolution Protocol ARP oooononononooccncnonononoccnnncnnnnnnonoconononononononanononananananananana na nono cenar nana nanan 250 Using the Proxy ARP Features coccorniaio conato soii cinta COR LEO daa CU AA a EA e ca a 251 Usitig Unnumbered Interfaces ici iro siii 252 TO EA eea ace sabe eset eis Sos EEN EEN ean bate dan bea vaca vag Soa EA ETATER 253 ALOE NO 254 OA IEA A BORE RARER 254 Contents of the Mantialk ida LA es 254 Install OMS 1 a da e LEE A RT NT E EE 254 Hardware Resource Usager icc ves cceaieweeschivestusccerinetette cate dentate eva AA anabel 254 IP Pool DESCHIPttOD eri tin rosales de 254 IP Pool Setup een id A 254 RADIUS sete estatal AREE OETA E EEEE E EE l 255 Monitoring Used IP Address s iienaa ea ei aT a a SS it taei 255 l L AREER A E A EER E E sossecessesece ndebesoetceds oeecssecossesecbeteeseceusossusessbeceesssessbuasesdbessesebessesvesesbaveseseeste 256 A A NENA 256 Contents ob the Mam tials ta Ae at ao t 256 Install dato ties 256 Hardware Resource Usa o 257 How IPsec Works isis olaa us vaceubasandsabesdestasdeds 257
70. ESA bu 335 ORN od NEA ALO N CAA EAE DOE aa duties dese AE EAN AES 336 OSPE Interface ii di 336 OSPF Viral Ea a io 337 OSPE Nei SH DOUIS iinis eaea nE itinerantes 337 Running OSPE aneia a a a e e a aae eana i EE E 338 OSPF Troubleshooting sgiir a E aE aaa EER E AET AVAE NDEI N ASES aae 339 Additional RESOULCES id A O 339 OSPF Application ExaMples ccntinatad il rd aiii ae tia e sad ae 339 OSPF Backup without using Tunnel neice enesenn RE sa EEE a nc cnn nc cnn ncnnncc ns 339 OSPF Main Router Setup a e aero eteo aoao aE E EEEa E E e N sine 340 OSPF peer 1 Router Setup nanena ad ETEEN ETE RST E 341 OSPE pee er 2 ROUTER SOU press lsssskels sects ieie nini aeiee ea ENEE EEEE ERER EER 342 Routing Tables tl io A a anes aa a aE E n aa a ea tiie 342 Routing Tables with Revised Link COSt ooonoonninccnnocccnoncconnncnnnnacnnnocnnononnnccnnncnnnnnannn nc nnnn nc cnnccnnnnn ns 343 Functioning of the Back upysitescsccccctccccsviacsisstaetecentd ocuaee a A E chusdasddecbestdecbensoecdenssatese 345 OSPF Backup using Encrypted Tunnel through a Third PartY ocoooonnnnnnnncccnnccnoncconnnannnnccnnnnannnnonncn ns 346 OSPE Main Router Setup vitrales api EE E citada 347 OSPF peer 1 Router Seta pies stnsesesscestivesccouss cases re ea EESE EE a aE NE ENEKEN GS 348 Rota Tables eg iiite aE a A 349 Functioning OF the BackUp iieii inre sarita dacs EEEE EE E E aaa Ea aE 349 R ting AAA O 351 O EAN AERO RR PRR RRR 351 Prefix List Installation on the MikroT
71. HDLC Frame Relay Synchronous Interfaces Moxa C101 v 35 4 Mb s Moxa C502 PCI 2 port v 35 8 Mb s Cyclades PC 300 v 35 Cyclades PC 300 E1 T1 FarSync X 21 Asynchronous Interfaces Standard Communication Ports Coml and Com2 Moxa Smartio C104H C168H PCI 4 8 port up to 4 cards 32 ports Cyclades Cyclom Y and Cyclades Z Series up to 32 ports per card up to 4 cards TCL DataBooster 4 or 8 PCI cards Ethernet Interfaces Most widely used single and multiport Ethernet interface cards including ISA and PCI NE2000 compatible most common network cards 3Com 509 Series 3Com EtherLink III ISA 3Com 3c59x 3c90x series Intel EtherExpress Pro 100 Intel PRO 1000 series DEC Tulip compatible Realtec RTL8139 based Winbond w89c840 based Davicom DM9102 based ISDN Interfaces Most ISDN PCI Cards Data connections at 64 128kbps client and server VoIP Interfaces H 323 Protocol VoIP Analog Gateways QuickNet LineJack ISA QuickNet PhoneJack for IP telephones MikroTik RouterOS V2 6 Reference Manual 58 MikroTik RouterOS V2 6 Specifications Sheet Voicetronix V4PCI 4 analog telephone lines cards Zaptel X 100P IP telephony card 1 analog line H 323 Protocol VoIP Digital Gateways ISDN cards for VoIP gateways H 323 Protocol IP Telephones QuickNet LineJack and PhoneJack ISA xDSL Interfaces additional license purchase required Synchronous Xpeed 300 SDSL cards Up
72. HotSpot and only if there is the same source MAC address and the same randomly generated ID user is automatically logged in New cookie with different random ID is sent to web browser Old cookie is removed from local HotSpot active cookie list New one with new expire time is added MikroTik RouterOS V2 6 Reference Manual 236 HotSpot Gateway Address Assignment When user is successfully authenticated HotSpot assigns another IP address for client static or from some IP pool On next clients DHCP request the new IP address will be given by DHCP server to this client How much time this IP address change required depends on DHCP lease time for non authenticated users HotSpot login delay parameter should be set accordingly to this DHCP server lease time If lease time is 10s then real login delay will be about 1 7 seconds So it is quite safe to set login delay to 8s in this case While IP address is changed user sees after login alogin html page This page will automatically forward user to original destination address or status page 1f there was no original dst address after login delay time will pass Logging Out User can log out using status page There is a link to http virtual_HotSpot_ip logout Going to this page will logout user After that logout page logout html will be shown to user MikroTik HotSpot Gateway Setup MikroTik HotSpot Gateway setup is under ip hotspot submenu admin MikroTik ip ho
73. IP Telephony Hardware and Software Installation MikroTik RouterOS V2 6 Reference Manual 2 7 IP Telephony Software Packages The MikroTik Router should have the telephony package installed To install the package please upload it to the router and reboot The package can be downloaded from MikroTik s web page www mikrotik com The software package size is 1 7MB after installation it requires 5MB of additional HDD space and 6MB of additional RAM Please make sure you have the required capacity Use system resource print command to see the amount of available resources admin MikroTik gt system resource print uptime 7m17s total memory 61240 free memory 32756 cpu type AMD K6 tm cpu frequency 300 hdd total 46474 hdd free 20900 admineMikroTik gt You may want to increase the amount of RAM from 32MB to 48 64MB if you use telephony Use the system package print command to see the list of installed packages Pesase Note that you should uninstall telephony package before the upgrade After the upgrade you can put it back and you will not loose the configuration Software License The telephony does not require any additional Software License It works with the Basic License Hardware Installation Please install the telephony hardware into the PC accordingly the instructions provided by card manufacturer Each installed Quicknet card requires IO memory range in the following sequence the first card occupies addr
74. Keepalive period in seconds 0 32767 clock rate Speed of internal clock clock source Clock source external internal tx from rx tx internal disabled disable or enable the interface frame relay dce Operate in DCE mode yes no frame relay Imi type Frame Relay Local Management Interface type ansi ccitt line protocol Line protocol cisco hdlc frame relay sync ppp mtu Maximum Transmit Unit 68 1500 bytes Default value is 1500 bytes name New interface name You can monitor the status of the synchronous interface fadmin MikroTik interface moxa c502 gt monitor 0 dtr yes rts yes cts no dsr no dcd no fadmin MikroTik interface moxa c502 gt MikroTik RouterOS V2 6 Reference Manual 140 MOXA C502 Synchronous Interface Connect a communication device e g a baseband modem to the V 35 port and turn it on If the link is working properly the status of the interface is fadmin MikroTik interface moxa c502 gt monitor 0 dtr yes rts yes cts yes dsr yes dcd yes fadmin MikroTik interface moxa c502 gt The MikroTik driver for the MOXA C502 Dual port Synchronous adapter allows you to unplug the V 35 cable from one modem and plug it into another modem with a different clock speed and you do not need to restart the interface or router Troubleshooting e The synchronous interface does not show up under the interfaces list Obtain the required
75. Key at least 8 characters This key is used during Authentication Phase if the Authentication Method Proposal is Pre Shared key OK Cancel click Enter Key type RRR REE click OK MikroTik RouterOS V2 6 Reference Manual 271 IPsec in Internet Interface box Name select interface that is connected to 10 0 0 0 24 network TP Addr check that it shows 10 0 0 81 Configure phase setting to use same algorithms as on RouterOS side Security Policy Editor SonicWALL PN Client 3 3 My Connections ES my connection 3 My Identity urity Policy Authentication Phase 1 fl Proposal 1 GQ Key Exchange Phase 2 3 Proposal 1 Q Other Connections Diffie Hellman Group 1 Select Phase 1 Negotiation Mode select Main Mode check Enable Perfect Forward Secrecy PFS PFS Key Group select Diffie Hellman Group 1 clear Enable Replay Detection MikroTik RouterOS V2 6 Reference Manual 272 IPsec 3 My Connections EX gi my connection E e My Identity Security Policy 68 eme Phase 1 i Proposal 1 a SB Key Exchange Phase 2 i i Proposal 1 Ap Other Connections Diffie Hellman Group 2 y Authentication Method select Pre Shared Key in Encryption and Data Integrity Algorithms box Encrypt Alg select Triple DES Hash Alg select SHA 1 SA Life select Unspecified Key Group select Diffie Hellman Group 2 thi
76. Loading the Driver for the MOXA C502 Synchronous Adapter e Synchronous Interface Configuration e Troubleshooting e Synchronous Link Applications MikroTik Router to MikroTik Router MikroTik Router to CISCO Router Synchronous Adapter Hardware and Software Installation Software Packages The MikroTik Router should have the moxa c302 synchronous software package installed The software package file moxa c502 2 6 x npk can be downloaded from MikroTik s web page www mikrotik com To install the package please upload the correct version file to the router and reboot Use BINARY mode ftp transfer After successful installation the package should be listed under the installed software packages list for example admin MikroTik gt sys package print Flags I invalid NAME VERSION BUILD TIME UNINSTALL 0 system 2 6beta4 aug 09 2002 20 22 14 no 1 ppp 2 6beta4 aug 09 2002 20 28 01 no 2 moxa Cc502 2 6beta4 aug 09 2002 20 53 57 no 3 pppoe 2 6beta4 aug 09 2002 20 29 18 no 4 pptp 2 6beta4 aug 09 2002 20 28 43 no 5 ssh 2 6beta4 aug 09 2002 20 25 31 no 6 advanced tools 2 6beta4 aug 09 2002 20 53 37 no MikroTik RouterOS V2 6 Reference Manual 138 MOXA C502 Synchronous Interface 7 cyclades 2 6beta4 aug 09 2002 20 52 00 no 8 framerelay 2 6beta4 aug 09 2002 20 52 09 no admineMikroTik gt Software License The MOXA C502 Dual port Synchronous Adapter requires the Synchronous Feature License One license is for one in
77. Local admin MikroTik ip address gt The second router will have address 192 168 11 2 The network connectivity can be tested by using ping or bandwidth test admin wnet_gw ip address gt add address 192 168 11 2 30 interface pcl admin wnet_gw ip address gt print Flags X disabled I invalid D dynamic ADDRESS NETWORK BROADCAST INTERFACE 0 192 168 11 2 30 192 168 11 0 1926168 11 3 pel 1 10 1 1 12 24 10 T10 IRO ERAS Public admin wnet_gw ip address gt ping 192 168 11 1 192 168 11 1 pong ttl 255 time 3 ms 192 168 11 1 pong ttl 255 time 1 ms 192 168 11 1 pong ttl 255 time 1 ms 192 168 11 1 pong ttl 255 ping interrupted 4 packets transmitted 4 packets received 0 packet loss round trip min avg max 1 1 5 3 ms admin wnet_gw interface pc gt tool bandwidth test 192 168 11 1 protocol tcp status running rx current 4 61Mbps rx 10 second average 4 25Mbps rx total average 4 27Mbps admin wnet_gw interface pc gt tool bandwidth test 192 168 11 1 protocol udp size 1500 status running rx current 5 64Mbps rx 10 second average 5 32Mbps rx total average 4 87Mbps admin wnet_gw interface pc gt Copyright 1999 2002 MikroTik MikroTik RouterOS V2 6 Reference Manual 93 Cyclades PC300 PCI Adapters Document revision 13 Aug 2002 This document applies to the MikroTik RouterOS v2 6 Overview The MikroTik RouterOS supports the following Cyclades PC300 Adapter
78. MA401 11Mbps 802 11 WLAN Card version NETGEAR MA401 Wireless PC Card Version 01 00 card Intersil PRISM Freedom 11mbps 802 11 WLAN Card version Intersil PRISM Freedom PCMCIA Adapter ISL37100P Eval RevA card OTC Wireless AirEZY 2411 PCC 11Mbps 802 11 WLAN Card version OTC Wireless AirEZY 2411 PCC WLAN Card Version 01 02 card Zcomax XI 325HP PCMCIA 200mW Card Copyright 1999 2002 MikroTik MikroTik RouterOS V2 6 Reference Manual 190 RadioLAN 5 8GHz Wireless Interface Document revision 29 Nov 2001 This document applies to the MikroTik RouterOS V2 6 Overview The MikroTik RouterOS supports the following RadioLAN 5 8GHz Wireless Adapter hardware e RadioLAN ISA card Model 101 e RadioLAN PCMCIA card For more information about the RadioLAN adapter hardware please see the relevant User s Guides and Technical Reference Manuals Contents of the Manual The following topics are covered in this manual e Wireless Adapter Hardware and Software Installation Software Packages 4 Software License System Resource Usage Installing the Wireless Adapter Loading the Driver for the Wireless Adapter e Wireless Interface Configuration e Wireless Troubleshooting e Wireless Network Applications Point to Point Setup with Routing Wireless Adapter Hardware and Software Installation Software Packages The MikroTik Router should have the radiolan software package instal
79. MRTG to monitor network card traffic on Mikrotik 2 6 x This file was created with MRTG v2 9 17 cfgmaker on a linux computer This is a only an example file MRTG Sample Configuration For more information read the MRTG documentation _Configuration Reference Additional Resources http www ietf org rfc rfc1592 txt MikroTik RouterOS V2 6 Reference Manual 417 SNMP Service http www cisco com univercd cc td doc cisintwk ito_doc snmp htm Copyright 1999 2002 MikroTik MikroTik RouterOS V2 6 Reference Manual 418
80. MikroTik ip firewall gt The policy of user added chains is none and it cannot be changed Chains cannot be removed if they contain rules are not empty Firewall Rules Management of the firewall rules can be accessed by selecting the desired chain If you use the WinBox console select the desired chain and then press the List button on the toolbar to open the window with the rules In the terminal console use the ip firewall rule command with the argument value that specifies a chain for example admin MikroTik ip firewall gt rule input admin MikroTik ip firewall rule input gt To add a rule use the add command for example admin MikroTik ip firewall rule input gt add dst port 8080 protocol tcp action reject admin MikroTik ip firewall rule input gt print Flags X disabled I invalid 0 src address 0 0 0 0 0 0 65535 in interface all dst address 0 0 0 0 0 8080 out interface all protocol tcp icmp options any any tcp options any connection state any flow src mac address 00 00 00 00 00 00 limit count 0 limit burst 0 limit time 0s action reject log no admin MikroTik ip firewall rule input gt Here the available values for the argument action are accept drop jump passthrough reject return See the argument description above MikroTik RouterOS V2 6 Reference Manual 223 Firewall Filters and Network Address Translation NAT Masquerading and Source NAT Masquerading is a firewall func
81. MikroTik queue simple gt tree print Flags X disabled I invalid D dynamic 0 D name parent etherl flow limit at 128000 max burst 20 queue default priority 8 weight 1 allot 1514 bounded yes admin MikroTik queue simple gt Queue rules are processed in the order they appear in the queue tree print list If some packet matches the queue rule then the queuing mechanism specified in that rule is applied to it and no more rules are processed for that packet Queue Types The queue types are used to specify some common argument values for queues There are four default built in queue types default ethernet default wireless default and synchronous default The built in queue types cannot be removed You can add your own queue types by specifying the argument values for example MikroTik RouterOS V2 6 Reference Manual 324 Queues and Bandwidth Management admin MikroTik queue type gt add name CUSTOMER def kind red red min threshold 0 red burst 0 admin MikroTik queue type gt print O name default kind none bfifo limit 15000 pfifo limit 10 red limit 60 red min threshold 10 red max threshold 50 red burst 20 sfq perturb 5 sfq allot 1514 1 name ethernet default kind none bfifo limit 15000 pfifo limit 10 red limit 60 red min threshold 10 red max threshold 50 red burst 20 sfq perturb 5 sfg allot 1514 2 name wireless default kind sfq bfifo limit 15000 pfif
82. MikroTik RouterOS V2 6 Reference Manual Table of Contents Border Gateway Protocol BGP Routing Protocol BAET l a naa a aaa T E EIE O eats 362 Troublesh o ng iinn ar EDE a A ea ae 363 Additional RESO E T e e a 363 BGP Application Examples oin iinne i ita ada E E EEE EE EE E chia cadet a dates 363 EXpPOrt and TMPOPb 55 sssdssscsesssessesecssecstsssiessoseiesctesessesesessesessssseesascosecssesecesosdedes sabecsssessseagades des sdesssssessooesoses es 364 A TN 364 Hardware Resource Usa amics sillar iodo RE EEEE E oi 364 Export and Import DesCrpPlOM iein ane nine ii csdanss ovdaceVucdedshasvecebautiee sterubaateersecs 364 Export and Import Examples ccsscccssscsssscscssscessccsensecssnesssccecnssscnesenensscenssssaeseceseenessenssessaeensess 364 Backup and RESO cissseicssccccsescc sasesssdssnsstcessessdetssseccsossscsesesveccd seas S nsssescessesessoustss gsecvaceseoassdsecvescedssssssussseesssts 366 Installation dm A rR Oe ee ae 366 Hardware Resource Usage nica rro ironico ios 366 Backup and Restore DeSCriptiONn i oiea i e i E eT E EEEN EE EEEE EA ET T N Ea 366 Backup and Restore Examples ionilor n aerea e ea tae e EE EEE EEE AEN 366 Liquid Crystal Display LCD Manual ccsccsssccssssssscssssscsssscssccscssssssessessescsssssssccscnssscnsssssssscenssesscacce 368 ONU A A PIE a RR COREE 368 Contents OF the Mandala ii da A it ocd bute di sa value bhavaldaeaededGabataderasan ss 368 AaiStall ation reise A NT
83. MikroTik RouterOS V2 6 Reference Manual 309 IP Route Management Policy routing rules are configured in ip policy routing rule menu admin MikroTik ip policy routing rule gt print Flags X disabled I invalid SRC ADDRESS DST ADDRESS INTE FLOW ACTION TABLE 0 0 0 0 0 0 0 0 0 0 0 all Lookup main admin MikroTik ip policy routing rule gt After installation there is one default rule which says that routes for all packets should be looked up in the main table Argument description src address mask Source IP address mask where mask is number of bits in the subnet For example x x x x 32 for the address x x x x and the 32 bit netmask 255 255 255 255 dst address mask Destination IP address mask where mask is number of bits in the subnet interface Interface name through which the packet arrives Should be all for the rule that should match locally generated or masqueraded packets since at the moment of processing the routing table these packets have interface name set to loopback flow flow mask of the packet to be matched by this rule The flow masks are set using ip firewall mangle Routing tables can be created deleted in the ip policy routing menu admin MikroTik ip policy routing gt print Flags D dynamic NAME 0 D main admin MikroTik ip policy routing gt There is always the table main this one can not be deleted and its name can not be changed T
84. MikroTik RouterOS V2 6 Overview The firewall supports filtering and security functions that are used to manage data flows to the router through the router and from the router Along with the Network Address Translation they serve as security tools for preventing unauthorized access to networks Contents of the Manual The following topics are covered in this manual e Firewall Installation e Packet Flow through the Router e IP Firewall Configuration IP Firewall Common Arguments Logging the Firewall Actions e Marking the Packets Mangle and Changing the MSS Firewall Chains 4 Firewall Rules e Masquerading and Source NAT 4 Redirection and Destination NAT Understanding REDIRECT and MASQUERADE e Connection Tracking e Troubleshooting e Additional Resources e P Firewall Applications e Basic Firewall Building Principles Example of Firewall Filters Protecting the Router Protecting the Customer s Network Enforcing the Internet Policy Example of Source NAT Masquerading Example of Destination NAT Firewall Installation The firewall feature is included in the system software package No additional software package installation is needed for this feature Packet Flow through the Router The firewall rules are applied in the following order e When a packet arrives at an interface the NAT rules are applied first The firewall rules of the input chain and routing are applied after the packet has passed
85. RADIUS authentication as well RADIUS server argument for limiting the data rate transmited to the client is Ascend Data Rate vendor id 529 attribute id 197 Note that filter rules jumping to the specifies firewall chain are added automatically to the hotspot firewall chain This means that you should create hotspot chain and pass some or all the packets to 1t in order filtering to function HotSpot Server Settings There can be added one server for each DHCP server Which server profile to apply will depend on DHCP server which gave DHCP lease to that client Actually it means that if user will log in from different interfaces then different server profiles will be used It allows assigning different IP addresses on different ethernet interfaces admin MikroTik ip hotspot server gt print 0 name dhcp1 dhcp server hotspot_dhcp lease time 1m login delay 10s address pool hotspot netmask 0 0 0 0 gateway 0 0 0 0 admin MikroTik ip hotspot server gt Description of parameters address pool IP pool name from which HotSpot client will get IP address if it is not given some static already gateway default gateway lease time DHCP lease time for logged in user login delay Time required to log in user name DHCP profile name is sent as NAS Port Id by RADIUS client netmask network mask dhcp server DHCP server with which to use this profile HotSpot User Database The local user database is
86. RS NO 257 Decry puoi ui A a ide 257 Internet Key Exchange cita in 257 TRE Tri A O a E a dd 258 IPSEC Setti airada e Ee Td EEE EE E ATEA E AE EEE A td 258 NAS RN 259 PEA Et Bo BEES 260 Pre shartd S retail laicas ces 262 Manual Arta Rr A EE ia RE CE 262 Proposal a e ia aa do 263 sta de A lares 263 EQU TA EE A AAA A A Dd d 264 Application EXAMPLES tenida ii RAT ban TA A AA ta E il ct 265 IPsec setup between two RourerOS routers ccecccccescecsseceesneeeseceeaceseaeeceseeeeeceeaeceeaeeeeeeeeeaees 265 IPsec Setup for Routing Between two Masquerading MikroTik RoQuUterS ooooonconinnccnonccnonccnnnnnss 266 IPsec Setup Between MikroTik and CISCO Routers cee cccccesseceenceeececeeeeeeteceeaeceeaeceeaeeenaees 267 Con suring ROUlECOS asrina e a a a onien 267 Configuring CISCO ionge i ee E a EE ica EEES EUN aa TNE EEEE eal eas 268 Testing n n shes ante aie A A nae ee eee ID 268 IPsec setup between RouterOS router and Windows SonicWall ClieMt ooooononncnnnccnncccconcconnnoss 269 Con uring RouterOS Siroki oin coronan cs TER ista EEEE EE AA TE E 270 Configuring Sonic WAR aeeai aie eE eE E e E T E R edades 270 Testing nnne RO RN 274 TP Tele A RO 276 IP Telephony Specifications ss tscccascsccseeiasiaciasigecseacarscanestecpinsvaansassadetangedubasadeasseagensdasvaentsaeagesneesyaeste 276 Supported Hard Witt leet elevates 276 MikroTik RouterOS V2 6 Reference Manual xi MikroTik RouterOS V2 6 Reference Manual Table of Cont
87. RouterOS V2 6 Reference Manual Table of Contents Ping Hardware Resource Usage so hrnci e eaei ern a aa ei es Ping Description iii Riad Ping Example A Bea Hard Wares Resource Usa cieee oenen Ee aE EEEO EE ENEE E E idad Traceroute DESC Plo erreien nie ane a aa ea eaoaai Traceroute Examples ioiei r wee E Eea EE E NEE N ae Hardware Resource Usage meienoar aeann EEE e ESE EEEE Eh Traffic Monitor Descriptio ier a i eaa a aiae E Eae O SaaS Traffic Monitor Examples aeeie rerent aaeoa eeo AT rE RAEES EIA EEA anaa Hardware Resource USA ii inorrek ieai a ea Ea e identidad las SY A e a usec a e a edoan SNMP OOE OS ices esses r a ES Tools for SNMP Data Collection and AnNalySIS ooooonnoccnnncconoccnoonannonaconononnnoninnncnnnos Example of using MRTG with Mikrotik SNMP oooooconnocccocccoconccooncnnnnccnnnccnnnononnnnnnos Additional Resources aeree eno T a AA dd aa MikroTik RouterOS V2 6 Reference Manual xviii MikroTik RouterOS V2 6 Basic Setup Guide PDF version MikroTik RouterOS V2 6 Reference Manual 1 Introduction Document revision 29 Nov 2002 This document applies to the MikroTik RouterOS V2 6 MikroTik RouterOS is independent Linux based Operating System for PC based routers and thinrouters It does not require any additional components and has no software prerequirements It is designed with easy to use yet powerful interface allowing network administrators to deploy network struct
88. Routing Protocol Internet OSPF Main peer 70 202 main 10 20 71 peer 10 1 0 2 cost 1 OSPF peer 2 main_link 10 1 0 1 a TORRE backup 70 3 0 7 OSPF peer 1 focal 192 168 0 1 LAN 192 168 0 0 24 Let us assume that the link between the routers OSPF Main and OSPF peer 1 is the main one If it goes down we want the traffic switch over to the links going through the router OSPF peer 2 For this 1 We introduce an OSPF area with area ID 0 0 0 1 which includes all three routers shown on the diagram 2 Only the OSPF Main router will have the default route configured Its interfaces peerl and peer2 will be configured for the OSPF protocol The interface main_gw will not be used for distributing the OSPF routing information 3 The routers OSPF peer 1 and OSPF peer 2 will distribute their connected route information and receive the default route using the OSPF protocol OSPF_Main Router Setup The IP address configuration of the OSPF_Main router is as follows admin OSPF Main interface gt ip address print Flags X disabled I invalid D dynamic ADDRESS NETWORK BROADCAST INTERFACE 0 10 0 0 214 24 10 0400 10 00 2959 main_gw 1 10 1 0 2 24 10 1 0 0 10 1 0 0295 peerl 2 10 2 0 2 24 1022 0 0 L0 203255 peer2 admin OSPF Main interface gt OSPF settings admin OSPF Main gt routing ospf print router id 0 0 0 0 distribute default if installed as t
89. Setup e DHCP Server Setup Static Leases e Additional DHCP Resources Installation Please download the dhcp 2 6 x npk package from the MikroTik s web site upload it with ftp in BINARY mode to the router and reboot Use the system package print command to see the list of installed packages Hardware Resource Usage The DHCP server does not consume any significant resources The DHCP client may consume high resource for five to ten seconds when acquiring an address or renewing an address DHCP Description The DHCP protocol gives and allocates IP addresses to IP clients DHCP is basically insecure and should only be used on secure networks UDP port 67 is the DHCP listen port and UDP port 68 is the DHPC transmit port MikroTik RouterOS V2 6 Reference Manual 212 DHCP Client and Server DHCP Client Setup The MikroTik RouterOS DHCP client may be enabled on one Ethernet like interface The client will accept an address netmask default gateway and two dns server addresses The IP address will be added to the interface with the netmask The default gateway will be added to the routing table as a dynamic entry When the DHCP client is disabled the dynamic default route will be removed If there is already a default route installed prior the DHCP client obtains one the route obtained by the DHCP client would be shown as invalid The DNS server from the DHCP server will be used as the router s default DNS if the router s DNS
90. TA EA A EAT tas LAS ALEA ARA A ct 327 Queue AppliC ON isidro airo diri akan esas 327 Example of Emulating a 128k 64k LIN6 ooonoccnnoconoccccnonncoonacononononcccnnononnnnronnccnnnc cnn conan ccnnccnnnnos 328 Example of Using Masquerading eeecccecssccesseceesceceececeeeeeaesesaeceenceceeeeceeeeeaeeeeaaecseaeeneaeeenaees 330 Example of Guaranteed Quality of SerViC8 coccccccncncocococananananananananananonononnnnonononnn nono nonononocaconanonos 331 Additional RESQUICES a iia A Se SORENSEN EB Gea hie 332 Links on Class Based Queuing CBO ccc ceccccessceceseeceeeeeeseeeaaeceeaeeceaeeceeeeeaeeeeaaeceeaeeneneeseaees 332 Links on Random Early Detection RED c ccccccessceeeeeseeecesseceeaeeceeneceeeeesaeessaecseaaeceaeeeeeeeees 332 More Complete Informatin about Traffic Cotrol ccc cecccecseccesseceeseeceeeeceeeeeeseeenaeceeaaeceaeeeeeeeees 332 Open Shortest Path First OSPF Routing Protoco l coomomms 333 OVERVIEW is NANO 333 Gontents of the Manta 2 5 5 a saved AT alo a ao dices d 333 tal A RO TI 333 Hardware Resource Usage E E NC 333 MikroTik RouterOS V2 6 Reference Manual xiii MikroTik RouterOS V2 6 Reference Manual Table of Contents Open Shortest Path First OSPF Routing Protocol IT NN 334 OSPF Setpa ei n a a A sn aa ee ac eee 334 Setting the Basic OSPF Argument Values cecccecscecenceceseceseecessaeceeaeeeeaeeceeesaeeeeaaeceeaeceeaeeesas 334 OSPE ATCAS is dd REL bd AAA AS ETE
91. TOF Lido V2 10rd 255 Public Lele tu2 732 Te Lalat 259429572994295 MOXA admin MikroTik ip address gt ping 1 1 1 1 1 1 1 1 64 byte pong tt1 255 time 31 ms 1 1 1 1 64 byte pong tt1l 255 time 26 ms 1 1 1 1 64 byte pong tt1l 255 time 26 ms 3 packets transmitted 3 packets received 0 packet loss round trip min avg max 26 27 6 31 ms admin MikroTik ip address gt MikroTik Router to CISCO Router Let us consider the following network setup with MikroTik Router connected to a leased line with baseband modems and a CISCO router at the other end MikroTik RouterOS V2 6 Reference Manual 135 MOXA C101 Synchronous Interface Internet interface EthernetO address 10 1 1 12 24 interface Serial0 address 1 1 1 2 32 interface wan MikroTik Baseband Modem address 1 1 1 1 32 interface ether2 address 10 0 0 254 24 interface ether 1 address 192 168 0 254 24 LAN 192 168 0 0 24 LAN 10 0 0 0 24 The driver for MOXA C101 card should be loaded and the interface should be enabled according to the instructions given above The IP addresses assigned to the synchronous interface should be as follows admin MikroTik ip address gt add address 1 1 1 1 32 interface wan network 1 1 1 2 broadcast 255 255 255 255 admin MikroTik ip address gt print Flags X disabled I invalid D dynamic ADDRESS NETWORK BROADCAST INTERFACE 0 10 0 0 254 24 10 0 0 254 1020 0 255 ether
92. To do this the router will monitor the UPS and set itself to hibernate mode when the utility power is down and the UPS battery is has less than 10 of its battery power left The router will then continue to monitor the UPS while in hibernate mode and then restart itself after when the utility power returns If the UPS battery is drained and the router loses all power the router will power back to full operation when the utility power returns The UPS monitor feature on the MikroTik RouterOS supports e hibernate and safe reboot on power and battery failure e UPS battery test and run time calibration test e monitoring of all smart mode status information supported by UPS e logging of power changes Specifications Packages required ups License required Any Home menu level system ups Protocols utilized APC s smart protocol Hardware usage not significant MikroTik RouterOS V2 6 Reference Manual 395 UPS Monitor Cabling The APC UPS BackUPS Pro or SmartUPS requires a special serial cable If no cable came with the UPS a cable may be ordered from APC or one can be made in house Use the following diagram Router Side DB9f UPS Monitor Setup Submenu level system ups admin MikroTik system gt ups admin MikroTik system ups gt print enabled no port unknown off line time 5m min run time 5m alarm setting immediate rtc alarm setting none admin MikroTik system up
93. VID VID VID RECEIVED lt lt lt ISAKMP OAK MM KE NON VID SENDING gt gt gt gt ISAKMP OAK MM ID HASH NOTIFY STATUS_INITIAL_CONTACT RECEIVED lt lt lt ISAKMP OAK MM 1D HASH Established IKE SA 09 33 43 033 HIS COOKIE 7f 21 99 e3 Eb 82 bb ae 09 33 43 063 My Connectionsimy connection Initiating IKE Phase 2 with Client IDs message id AB379E0 09 33 43 063 Initiator IP ADDR 10 0 0 81 prot 0 port 0 09 33 43 063 Responder IP SUBNET MASK 1 1 1 0 255 255 255 0 prot 0 port 0 09 33 43 063 My Connectionsimy connection 09 33 43 204 My Connections my connection 09 33 43 204 My Connections my connection 09 33 43 214 My Connectionsmy connection 09 33 43 214 09 33 53 208 My Connections my connection 09 33 53 208 My Connections my connection 09 34 03 212 My Connectionsimy connection 09 34 03 212 My Connectionsimy connection Security Association Details Phase 1 Phase Lifetime Ene Alg DES My Cookie 1000586ab4ff Auth Method Preshrd key His Cookie 712199e36b82bbae Expires at 17 33 43 11 2670 Hash Alg SHA 1 State TIVE DH Group 2 Private Addr NONE Security Association Details p Phase1 Phase 2 Lifetime Enc Ala DES Lol Address 100 081 Inbound Dutbournd i 03 03 Hahaa R Ramadass AT Deia 10 03 43 17 2670 10 03 43 11 26 0 SPI inb 3c3c7a8d Encapsulation TUNNEL SPI outb 4723105 O Copyright 1999 2002 MikroTik MikroTik RouterOS V2 6 Reference Man
94. VLAN Interface and Protocol Description ceccceescesseeceececeeeeeeaeeesaeceeaceceaceceaeeeeaeeeeaaeceeaeeeeaeeeeaees 197 MEAN Setupisiaiisiestsl esa iean needs A aes tishatent ag nied eae nae Sead aa eae 198 VLAN Application Examples ai aaea tienda ed tan dened lees ieee ibn dianas 199 MikroTik RouterOS V2 6 Reference Manual viii MikroTik RouterOS V2 6 Reference Manual Table of Contents Virtual LAN VLAN Interface Additional RESOUTCESS A III oa ede ee a E Menace 200 Currently Supported Interfaces cccccccesscesscecesecesseceeseeceececeeeeeesaeseaaecseaeeceaeeceeeeeeeseaaeceeaeeneneeeeaees 200 WaveLAN ORiINOCO 2 4GHz 11Mbps Wireless InterfaCe oooomms 201 OVERVIEW 2255255 E EA A 201 Note MikroTik does not guarantee support for Orinocco Wavelad oooocccnoccnnocnnonccnnnaccnnnccnnnnn n 201 Contents f the Mana a sas 201 Wireless Adapter Hardware and Software Installation ec ceeccececessneceeeceeeeeeceeeeseceeaaeceeaeceeneeesas 202 Software PACKAGES cotidiana Ad a raised 202 Software LICENSE A A A AA Se DOLE EB OEE ER ig 202 System Resource USE iii dci 202 Installing the Wireless Adapter ccccccccecescesseceeseeceeeeeeeeeecsaecesaeceeaaeceececeeceeesaeeeaecseaaeceaeeseeeeees 203 Loading the Driver for the Wireless Adapter ooooonncconnnccnnncccnocccnonccnnocononccnnnonononannn nc cano conan ccnnnnn ns 203 Wireless Interface Configuration cc eeceeececssecessseeeeeceecceceeeecsseceeaecseaaecse
95. address 10 5 13 11 default remote port 514 buffer lines 100 General logging parameters buffer lines Number of lines kept in local buffer Contents of the local logs can be viewed using the log print command When number of lines in local log buffer is exceeded lines from the beginning of buffer are deleted default remote address Remote log server IP address Used when remote logging is enabled but no IP address of the remote server is specified IP 0 0 0 0 default remote port Remote log server UDP port Used when remote logging is enabled but no UDP port of the remote server is specified UDP 0 MikroTik RouterOS V2 6 Reference Manual 374 Log Management Individual settings for various logging facilities are in the system logging facility menu fadmin MikroTik FACILITY DoF WNEF OC Firewall Log PPP Account PPP Info PEP Error System Info System Error System Warning LOG non non rem non rem rem loc Logging facility parameters GING PREFIX e e ote e ote ote al system logging gt facility print REMOTE ADDRESS REMOTE PORT LOM 3 LO 514 TOD LS EL 514 T0 4 003 LL 514 facility Read only Name of the log group logging Type of logging prefix Local log prefix remote address Remote log server IP address Used when logging type is remote If not set default log server IP address is used remote port
96. admin MikroTik interface gt system resource irq print Flags U unused IRQ OWNER 1 keyboard 2 APIC U 3 4 serial port U5 U 6 U 7 U 8 9 ether1 U 10 UEL U 12 U 13 14 IDE 1 admin MikroTik interface gt system resource io print PORT RANGE OWNER 20 3F APIC 40 5F timer 60 6F keyboard 80 8F DMA AO BF APIC CO DF DMA FO FF EPU 1F0 1F7 IDE 1 2F8 2FF serial port 3C0 3DF VGA 3F6 3F6 IDE 1 3F8 3FF serial port CF8 CFF PCT conf1 EFOO EFFE Realtek Semiconductor Co Ltd RTL 8139 EFOO EFFE 8139to0 FCOO FC7F Cyrix Corporation 5530 IDE Kahlua FCOO FCO7 IDE 1 FCO8 FCOF IDE 2 admineMikroTik interface gt Installing the Wireless Adapter These installation instructions apply to non Plug and Play ISA cards If You have a Plug and Play compliant system AND PnP OS Installed option in system BIOS is set to Yes AND you have a Plug and Play compliant ISA or PCI card using PCMCIA or CardBus card with Plug and Play compliant adapter the driver should be loaded automatically If it is not these instructions may also apply to your system The basic installation steps of the wireless adapter should be as follows MikroTik RouterOS V2 6 Reference Manual 192 RadioLAN 5 8GHz Wireless Interface 1 Check the system BIOS settings for peripheral devices like Parallel or Serial communication ports Disable them if you plan to use IRQ s assigned to them by
97. admin MikroTik interface wavelan gt set 0 ssid b_link mode ad hoc frewency 2412MHz fadmin MikroTik interface wavelan gt monitor wavelanl MikroTik RouterOS V2 6 Reference Manual 207 WaveLAN ORiINOCO 2 4GHz 11Mbps Wireless Interface bssid 00 02 2D 07 17 23 frequency 2412MHz data rate 11Mbit s ssid b_link signal quality 0 signal level 154 noise 154 admineMikroTik interface wavelan gt The other router of the point to point link requires the same parameters to be set admin wnet_gw interface wavelan gt set 0 ssid b_link mode ad hoc frequency 2412MHz admin wnet_gw interface wavelan gt enable 0 admin wnet_gw interface wavelan gt monitor 0 bssid 00 02 2D 07 17 23 frequency 2412MHz data rate 11Mbit s ssid b_link signal quality 0 signal level 154 noise 154 admin wnet_gw interface wavelan gt As we see the MAC address under the bssid parameter is the same as generated on the first router IP Network Configuration If desired IP addresses can be assigned to the wireless interfaces of the pint to point link routers using a smaller subnet say 30 bit one admin MikroTik ip address gt add address 10 0 0 1 30 interface wavelanl admin MikroTik ip address gt add address 192 168 0 254 24 interface etherl admin MikroTik ip address gt print ADDRESS NETMASK NETWORK BROADCAST INTERFACE 0 10 0 0 1 255 255 255 252 10 00 01 10 0 0 3 wavelanl 1 192 168 0 254 2
98. admin MikroTik ip firewall rule admin MikroTik ip firewall rule comment Allow access from admin MikroTik ip firewall rule X comment Reject and log ev admin MikroTik ip firewall rule Flags X disabled I invalid 0 777 Allow established TCP connections src address 0 0 0 0 0 0 65535 in interface all dst address 0 0 0 0 0 0 65535 out interface all protocol tcp icmp options any any tcp options non syn only connection state established flow src mac address 00 00 00 00 00 00 limit count 0 limit burst 0 limit time 0s action accept log no MikroTik RouterOS V2 6 Reference Manual 228 fadmin MikroTik Firewall Filters and Network Address Translation NAT jj Allow UDP connections src address 0 0 dst address 0 0 icmp options any src mac address limit time 0s ac 0 0 0 0 65535 in interface all 0 0 0 0 65535 out interface all protocol udp any tcp options any connection state any flow 00 00 00 00 00 00 limit count 0 limit burst 0 tion accept log no 77 Allow ICMP messages src address 0 0 dst address 0 0 icmp options any src mac address limit time 0s ac jj Allow access src address 10 5 dst address 0 0 icmp options any src mac address limit time 0s ac 0 0 0 0 65535 in interface all 0 0 0 0 65535 out interface all protocol icmp any tcp options any connection state any flow 00 00 00 00 00 00 limit count 0 limit burst 0 tion accept log no from trusted network 10 5 8 0
99. alarm immediately after the on battery event e low battery alarm only when the battery is low e none do not alarm When enabled additional properties appear that cannot be changed MikroTik RouterOS V2 6 Reference Manual 396 UPS Monitor model string less than 32 ASCII character string consisting of the UPS model name the words on the front of the UPS itself version string UPS version consists of three fields SKU number firmware revision country code The county code may be one of the following I 220 230 240 Vac D 115 120 Vac A 100 Vac M 208 Vac J 200 Vac serial string a string of at least 8 characters directly representing the UPS s serial number as set at the factory Newer SmartUPS models have 12 character serial numbers manufacture date string the UPS s date of manufacture in the format mm dd yy month day year nominal battery voltage integer the UPS s nominal battery voltage rating this is not the UPS s actual battery voltage Notes In order to enable UPS monitor the serial port should be available admin MikroTik port gt print NAME USED BY BAUD RATE 0 serial0 Serial Console 9600 1 seriall 9600 admin MikroTik port gt Port seriall if free in this example Example To enable the UPS monitor for port seriall admin MikroTik system ups gt set port seriall enabled yes admin MikroTik system ups gt print
100. algorithm Please review the TCP protocol for details on its internal speed settings and how to analyze its behavior Statistics for throughput are calculated using the entire size of the TCP packet As acknowledgments are an internal working of TCP their size and usage of the link are not included in the throughput statistics Therefore this statistic is not as reliable as the UDP statistic when estimating throughput The UDP tester sends 110 or more packets than currently reported as received on the other side of the link To see the maximum throughput of a link the packet size should be set for the maximum MTU allowed by the links usually this is 1500 bytes There is no acknowledgment required by UDP this implementation means that the closest approximation of the throughput can be seen Topics covered in this manual e Installation e Hardware Resource Usage e Bandwidth Test Description Bandwidth Test Server Configuration Bandwidth Test Client Configuration e Bandwidth Test Example Installation The Bandwidth Test feature is included in the system package No installation is needed for this feature Hardware Resource Usage Caution Bandwidth Test uses all available bandwidth by default and may impact network usability There is no other significant resource usage Bandwidth Test Description Bandwidth Test Server Configuration admin MikroTik tool gt bandwidth server Configure network bandwidth tester service
101. all combinations of I O base addresses and IRQ s may work on your motherboard It is recommended that you choose one IRQ that is not used in your system and then try an acceptable I O base address setting As it has been observed the IRQ 5 and I O 0x300 or 0x180 work in most cases Loading the Driver for the Wireless Adapter PCI and PC PCMCIA cards do not require a manual driver loading since they are recognized automatically by the system and the driver is loaded at the system startup The ISA card requires the driver to be loaded by issuing the following command admin MikroTik gt driver add name pc isa io 0x180 admin MikroTik gt driver print Flags I invalid D dynamic DRIVER IRQ IO MEMORY ISDN PROTOCOL O D PCI NE2000 1 Aironet ISAxx00 0x180 fadmin MikroTik driver gt There can be several reasons for a failure to load the driver e The driver cannot be loaded because other device uses the requested IRQ Try to set different IRQ using the DIP switches e The requested I O base address cannot be used on your motherboard Try to change the I O base address using the DIP switches Wireless Interface Configuration If the driver has been loaded successfully no error messages and you have the required 2 4GHz Wireless Software License then the CISCO Aironet 2 4GHz Wireless interface should appear under the interfaces list with the name pcn where n is 1 2 You can change the interface name to a more
102. an overview of ISAKMP phase 1 exchange modes Currently only main mode is tested hash algorithm Hashing algorithm Valid algorithms are md5 and sha in strength and computation time increasing order proposal check Lifetime check logic This is for phase 2 lifetimes you cannot configure lifetimes for phase 1 proposals yet One of claim take shortest of proposed and configured lifetimes notify initiator about it exact lifetimes must be the same obey accept whatever is sent by initiator strict If initiator proposes longer lifetime than default reject proposal otherwise accept proposed lifetimes This is default value send initial contact yes Note that both peers MUST have the same encryption and authentication algorithms dh group and exchange mode Some legacy hardware may support only DES and MDS Statistics can be printed out using print stats command For not yet established connections admin MikroTik ip ipsec peer gt print stats Flags X disabled 0 address 10 0 0 201 500 exchange mode main send initial contact yes proposal check strict hash algorithm md5 enc algorithm 3des dh group modp1024 phl state no phasel admin MikroTik ip ipsec peer gt For running connection admin MikroTik ip ipsec peer gt print stats Flags X disabled 0 address 10 0 0 201 500 exchange mode main send initial contact yes proposal check strict hash algorithm md5 enc algorithm 3des dh group modp
103. are loaded automatically at the system startup Use the driver print command to see the list of loaded drivers admineMikroTik driver gt print Flags I invalid D dynamic DRIVER IRQ IO MEMORY ISDN PROTOCOL 0 D RealTek RTL8129 8139 fadmin MikroTik driver gt AS we see the driver for the Realtek PCI card has been loaded automatically If the driver required to be loaded use the driver add command The syntax of the command is fadmin MikroTik gt driver add Load driver name irq IRQ io IO range start mem shared memory copy from item number io IO port base address irq IRQ number isdn protocol ISDN line protocol memory Shared Memory base address name Driver name MikroTik RouterOS V2 6 Reference Manual 60 Device Driver Management fadmin MikroTik gt If hexadecimal values are used for the arguments put 0x before the number To see the list of available drivers enter the driver add name command admineMikroTik driver gt add name Name of driver to load 3c509 3com 3c509 ISA ne2k isa ISA NE2000 admin MikroTik driver gt add name ne2k isa io 0x280 admin MikroTik driver gt print Flags I invalid D dynamic DRIVER IRQ IO MEMORY ISDN PROTOCOL O D RealTek RTL8129 8139 1 ISA NE2000 280 fadmin MikroTik driver gt To see the system resources occupied by the devices use the system resource io print and system resource irq print commands admin MikroTi
104. baud rate 57600 port gt print detail from serial0 fadmin MikroTik stop bits 1 flow control hardware port gt Description of the printout name port name used by shows cannot be changed the user of the port Only free ports can be used in PPP baud rate maximal data rate of the port 50 4000000 data bits number of bits per character transmitted 7 8 parity character parity check method none even odd stop bits number of stop bits after each character transmitted 1 2 flow control flow control method none hardware xon xoff BA 96 96 96 96 96 96 96 96 96 96 96 96 96 96 96 96 96 UD RATE o E OS a e E A DE e E E LA de e A ES E A CG O ll 0 201 OOO 0 Le E Note that baud rate data bits parity stop bits and flow control parameters must be the same for both communicating sides PPP Server The PPP server management is done in the interface ppp serversubmenu You can add a PPP server using the add command MikroTik RouterOS V2 6 Reference Manual 156 Point to Point Protocol PPP and Asynchronous Interfaces admin MikroTik interface ppp server gt add name test port seriall admin MikroTik interface ppp server gt pr Flags X disabled R running 0 X name test mtu 1500 mru 1500 port seriall authentication mschap2 chap pap profile default modem init ring count 1 null modem no admin M
105. be done by putting rules in the forward chain or and by masquerading source NAT only those connections that are allowed Filtering has some impact on the router s performance To minimize it the filtering rules that match packets for established connections should be placed on top of the chain These are TCP packets with options non syn only Examples of setting up firewalls are discussed below Example of Firewall Filters Assume we want to create a firewall that e protects the MikroTik router from unauthorized access from anywhere Only access from the trusted network 10 5 8 0 24 is allowed e protects the customer s hosts within the network 192 168 0 0 24 from unauthorized access from anywhere e gives access from the Internet to the http and smtp services on 192 168 0 17 e Allows only ICMP ping from all customer s hosts and forces use of the proxy server on 192 168 0 17 The basic network setup is in the following diagram MikroTik RouterOS V2 6 Reference Manual 227 Public Network 10 0 0 0 24 Local Network 192 168 0 0 24 do P Firewall Filters and Network Address Translation NAT MikroTik Router Workstation 192 168 0 1 y Internet Internet Gatewa 10 0 0 254 interface Public address 10 0 0 217 netmask 255 255 255 0 interface Local address 192 168 0 254 netmask 255 255 255 0 Lapto 192 168 Server p 0 2 192 168 0 17 The IP addresses and routes of the MikroTik router ar
106. be not less than 3 minutes If set to Os no interim update messages are sent at all The CDR Call Detail Record messages are sent to the main RADIUS server If the main server does not respond then these records are sent to the secondary RADIUS server If the secondary RADIUS server does not respond neither an error is sent to the Telephony Error log The router tries each server for three times waiting 0 7 seconds between the tries The contents of the CDR are as follows MikroTik RouterOS V2 6 Reference Manual 287 IP Telephony NAS Identifier router name from system identity print NAS IP Address router s local IP address which the connection was established to if exist NAS Port Type always Async Event Timestamp data and time of the event Acct Session Time current connection duration only in INTERIM UPDATE and STOP records Acct Output Packets sent RTP Real Time Transport Protocol packet count only in INTERIM UPDATE and STOP records Acct Input Packets received RTP Real Time Transport Protocol packet count only in INTERIM UPDATE and STOP records Acct Output Octets sent byte count only in INTERIM UPDATE and STOP records Acct Input Octets received byte count only in INTERIM UPDATE and STOP records Acct Session Id unique session participient ID h323 disconnect cause session disconnect reason only in STOP records 0 Local end
107. be taken from computer s internal power supply use Black wire for GND and Red wire for 5V WARNING Be very careful connecting power supply We do not recommend using external power supplies In no event shall MikroTikls be liable for any hardware damages Note that there are some PowerTip PC2404A modules that have different pin out Compare From www powertip com tw probably newer one From www actron de probably older one Some LCDs may be connected without resistors LCD Hardware Resource Usage Before connecting the LCD please check the availability of ports their configuration and free the desired port resource if required For serial LCD admin MikroTik system lcd gt port print NAME USED BY BAUD RATE 0 serial0 Serial Console 9600 1 seriall 9600 admin MikroTik system lcd gt Please install the LCD module hardware into the PC accordingly the instructions provided by the module manufacturer The basic installation steps should be as follows e Connect the LCD s serial connector to the COM1 or COM2 port of the router e Connect the LCD s power cable to the router s power supply 5V and ground e Turn on the router and configure the LCD settings MikroTik RouterOS V2 6 Reference Manual 369 Liquid Crystal Display LCD Manual Configuring the LCD s Settings The LCD configuration can be accessed under the menu system lcd Use the system Icd set command to configure the type an
108. belong to the same network too You should be able to ping through the wireless bridge from one LAN to MikroTik RouterOS V2 6 Reference Manual 188 Prismll Wireless Client and Wireless Access Point Manual other and to gateway 10 0 0 1 Supported Prism II Hardware Many wireless cards based on the Prism 2 and above chipset use the prism reference design PCI identifier or PCI identifier of the OEM producer of the card They do not have a unique identifier based on the brand name or company name on the PCI card So for many cards it is needed to simply test and see if it is recognized MikroTik RouterOS supports the following PCI identifiers for the Prism 2 and above chipset based hardware card Intersil PRISM2 Reference Design 11Mb s 802 11b WLAN Card version INTERSIL HFA384x IEEE card GemTek WL 211 Wireless LAN PC Card version Wireless LAN llMbps PC Card card Compaq WL100 200 11Mb s 802 11b WLzAN Card manfid 0x0138 0x0002 card Compaq iPaq HNW 100 11Mb s 802 11b WLAN Card manfid 0x028a 0x0002 card Samsung SWL2000 N 11Mb s 802 11b WLAN Card manfid 0x0250 0x0002 card Z Com XI300 11Mb s 802 11b WLAN Card manfid 0xd601 0x0002 card ZoomAir 4100 11Mb s 802 11b WLAN Card version ZoomAir 11Mbps High Rate wireless Networking card Linksys WPC11 11Mbps 802 11b WLAN Card version Instant Wireless Network PC CARD Version 01 02 card Addtron AWP 100
109. clients 7552 kB fadmin MikroTik gt Printout description status the same as for ip web proxy print uptime uptime of the proxy server clients number of present and past proxy clients in current uptime requests total number of requests to the proxy in current uptime MikroTik RouterOS V2 6 Reference Manual 317 WEB Proxy hits number of requests satisfied with proxy s cache in current uptime cache size current cache size in kilobytes received from servers how many kilobytes did proxy receive from remote servers in current uptime sent to clients how many kilobytes did proxy send to the clients to resolve their requests in current uptime hits sent to clients how many kilobytes of sent traffic were taken from the cache in current uptime Access List Access list is implemented in the same way as MikroTik firewall rules Rules are processed from the top to the bottom First matching rule specifies decision of what to do with this connection Connections can be matched by its source address destination address destination port or substring of requested url If none of these parameters is specified every connection will match this rule If connection is matched by a rule action property of this rule specifies whether connection will be allowed or not If connection does not match any rule it will be allowed admin MikroTik ip web proxy access gt print Flags X
110. controller for PCI as used on the IntelEtherExpressPro 100 adapter e1000 Intel PRO 1000 Desktop Adapter Intel PRO 1000 Server Adapter tulip This device driver is designed for the DECchip Tulip Digital s single chip ethernet controllers for PCI Supported members of the family are the 21040 21041 21140 21140A 21142 and 21143 Similar work alike chips from Lite On Macronics ASIX Compex and other listed below are also supported Interfaces Digital DC21040 Tulip Digital DC21041 Tulip Digital DS21140 Tulip Digital DS21143 Tulip D Link DFE 570TX and 580 TX Lite On 82c168 PNIC Macronix 98713 PMAC MikroTik RouterOS V2 6 Reference Manual 63 Device Driver Management Macronix 98715 PMAC Macronix 98725 PMAC ASIX AX88140 Lite On LC82C115 PNIC II ADMtek AN981 Comet Compex RL100 TX Intel 21145 Tulip Xircom Tulip clone e rtl8139 This device driver is designed for the RealTek RTL8129 the RealTek Fast Ethernet controllers for PCI This chip is used on a few clone boards RealTek RTL8129 Fast Ethernet RealTek RTL8139 Fast Ethernet SMC1211TX EZCard 10 100 RealTek RTL8139 Accton MPX5030 RealTek RTL8139 e winbond 840 This driver is for the Winbond w89c840 chip Winbond W89c840 Compex RL100 ATX e dmfe This driver is for Davicom DM9102 Davicom DM9102A Davicom DM9102A DM9801 Davicom DM9102A DM9802 For the list of drivers included in additional feature software packages please see the manual of the relevant
111. date and time 1X 5s System resources cpu and memory load 2X 5s System uptime 3 X 5s Aggregate traffic in packets sec 4 X 5s Aggregate traffic in bits sec 5 X58 Software version and build info 6 X 5s etherl TS prisml admin MikroTik system lcd page gt enable find admin MikroTik system lcd page gt print Flags X disabled MikroTik RouterOS V2 6 Reference Manual 370 DISPLAY TIME 5s 5s 5s 5s 5s 5s 5s 7 5s DOP WNP OO HF Liquid Crystal Display LCD Manual DESCRIPTION System date and time System resources cpu and memory load System uptime Aggregate traffic in packets sec Aggregate traffic in bits sec Software version and build info etherl prisml admin MikroTik system lcd page gt The output of the print command shows the number time and short description of the displayed information items Use the enable command to enable the specified item or the disable command to disable it Use the system Icd page set command to set the display time for specified item admin MikroTik system lcd page gt set 0 display time 10s admin MikroTik system Flags X disabled DISPLAY TIME 10s 5s 5s 5s 5s 5s 5s 7 5s O Utas wW N O lcd page gt print DESCRIPTION System date and time System resources cpu and memory load System uptime Aggregate traffic in packets sec Aggregate traffic in bits sec Software version and build info ether1 prismi admin Mikr
112. default setting of the card supported rates Rates at which this node will work basic rates only ap bridge or bridge Rates that every client that plans to connect to this AP should be able to work at It is recommended to set it to 1 since not all clients might support rates 1 11 Station Mode Configuration To set the wireless interface for working with an IEEE 802 11b access point register to the AP you should set the following parameters e The Service Set Identifier It should match the ssid of the AP e The Operation Mode of the card should be set to station e The Supported Rate of the card should match the basic rates of the AP For example if the AP has basic rate 1 the client can have supported rate 1 11 If the AP has basic rate 1 11 then all clients MUST have the supported rate 1 11 Thus it is okay to leave the supported rate 1 11 for the client All other parameters can be left as default To configure the wireless interface for registering to an AP with ssid testing it is enough to change the argument value of ssid to testing and to enable the interface admin MikroTik interface prism gt set prisml ssid testing admin MikroTik interface prism gt enable prismi admin MikroTik interface prism gt print Flags X disabled R running 0 name prisml1 mtu 1500 mac address 00 90 4B 02 17 E2 arp enabled mode station root ap 00 00 00 00 00 00 frequency 2412MHz ssid testing default
113. descriptive one using the set command To enable the interface use the enable command admin MikroTik gt interface print Flags X disabled D dynamic R running NAME TYPE MTU O R etherl ether 1500 MikroTik RouterOS V2 6 Reference Manual 87 CISCO Aironet 2 4GHz 11Mbps Wireless Interface 1 X ether2 ether 1500 2 X pel pc 1500 admineMikroTik interface gt set 1 name aironet admineMikroTik interface gt enable aironet admin MikroTik gt interface print Flags X disabled D dynamic R running NAME TYPE MTU O R etherl ether 1500 1 X ether2 ether 1500 2 R aironet pe 1500 admin MikroTik gt More configuration and statistics parameters can be found under the interface pe menu admin MikroTik interface pc gt pr Flags X disabled R running O R name pc1 mtu 1500 mac address 00 40 96 29 2F 80 arp enabled client name ssidl tsunami ssid2 ssid3 mode infrastructure data rate 1Mbit s frequency 2437MHz modulation cck tx power 100 ap1 00 00 00 00 00 00 ap2 00 00 00 00 00 00 ap3 00 00 00 00 00 00 ap4 00 00 00 00 00 00 rx antenna right tx antenna right beacon period 100 long retry limit 16 short retry limit 16 rts threshold 2312 fragmentation threshold 2312 join net 10s card type PC4800A 3 65 admin MikroTik interface pc gt Argument description number Interface number in the list name Interface name mtu Maximum Transmit Unit 256 2048 bytes De
114. downloaded from MikroTik s web page www mikrotik com To install the package please upload the correct version file to the router and reboot Use BINARY mode ftp transfer After successful installation the package should be listed under the installed software packages list Hardware Resource Usage This protocol uses a minimum of resources VLAN Interface and Protocol Description VLANs are simply a way of grouping a set of switch ports together so that they form a logical network separate from any other such group Within a single switch this is straightforward local configuration When the VLAN extends over more than one switch the inter switch links have to become trunks on which packets are tagged to indicate which VLAN they belong to You can use MikroTik RouterOS as well as Cisco IOS and Linux to mark these packets as well as to accept and route marked ones MikroTik RouterOS V2 6 Reference Manual 197 Virtual LAN VLAN Interface As VLAN works on OSI Layer 2 it can be used just as any other network interface without any restrictions And VLAN successfully passes through ethernet bridges for MikroTik RouterOS bridges you should set forward protocols to ip arp and other for other bridges there should be analogical settings VLAN Setup Virtual LAN interface management can be accessed under the interface vlan submenu You can add a VLAN interface using the interface vlan add command admineMikroTik interface
115. driver Supposing you have an ISDN card with an HFC chip admin MikroTik gt driver add name hfc MikroTik RouterOS V2 6 Reference Manual 124 ISDN Interface Now additional channels should appear Assuming you have only one ISDN card driver loaded you should get following admineMikroTik isdn channels gt print Flags X disabled E exclusive NAME CHANNEL DIR TYPE PHONE 0 channell 0 1 channel2 admin MikroTik isdn channels gt Suppose you would like to use dial on demand to dial your ISP and automatically add a default route to it Also you would like to disconnect when there is more than 30s of network inactivity Your ISP s phone number is 12345678 and the user name for authentication is john Your ISP assigns IP addresses automatically Add an outgoing ISDN interface and configure it in the following way admin mikrotik gt interface isdn client add name isdn isp phone 12345678 user john password 31337 add default route yes dial on demand yes admin MikroTik gt interface isdn client print Flags X disabled R running 0 X name isdn isp mtu 1500 mru 1500 msn user john password 31337 profile default phone 12345678 12 protocol hdlc bundle 128K no dial on demand yes add default route yes use peer dns no Configure PPP profile admin MikroTik ppp profile gt print Flags default 0 name default local address 0 0 0 0 remote addr
116. enable command The interface name can be changed to a more descriptive one by using the interface set command admineMikroTik interface gt set 0 name Public MikroTik RouterOS V2 6 Reference Manual 16 Configuring Basic Functions admin MikroTik interface gt set 1 name Local admin MikroTik interface gt print Flags X disabled D dynamic R running NAME MTU TYPE 0 R Public ether 1500 O R Local ether 1500 admin MikroTik interface gt Use of the setup Command The initial setup of the router can be done by using the setup command which enables an interface assigns an address netmask to it and configures the default route If you do not use the setup command or need to modify add the settings for addresses and routes please follow the steps described below Adding Addresses Assume you need to configure the MikroTik router for the following network setup L Internet Server Internet 10 0 0 4 erm Gatewa Public Network 10 0 0 10 0 0 0 24 j interface Public ts address 10 0 0 217 24 interface Local address 192 168 0 254 24 i Laptop Workstation 192 168 0 1 19216802 Please note that the addresses assigned to different interfaces of the router should belong to different networks In the current example we use two networks e The local LAN with network address 192 168 0 0 and 24 bit netmask 255 255 255 0 The router s address is 192 168 0 254 in this network e Th
117. enabled the MikroTik router responds to DNS requests on TCP and UDP ports 53 Make sure you do not block this port in the firewall setup DNS Cache Setup DNS cache management can be accessed under the ip dns cache submenu DNS client configuration accessible under ip dns submenu is not required To enable DNS cache use the set command for example admin MikroTik ip dns cache gt set enabled yes dns server 159 148 60 2 admin MikroTik ip dns cache gt print enabled yes Size 512 MikroTik RouterOS V2 6 Reference Manual 216 DNS Cache dns server 159 148 60 2 admin MikroTik ip dns cache gt Descriptions of settings enabled defines whether DNS cache TCP and UDP port 53 is enabled or not size maximum number of entries in the cache dns server parent DNS server that is used to resolve requests absent in the cache Monitoring DNS Cache Currently no monitoring of DNS cache is available Later versions of MikroTik RouterOS will have option of DNS cache static entries as well as cache monitoring Additional Resources Links to DNS documentation http www freesoft org CTE Course Section2 3 htm http www networksorcery com enp protocol dns htm http www ietf org rfc rfc1035 txt number 1035 O Copyright 1999 2002 MikroTik MikroTik RouterOS V2 6 Reference Manual 217 Firewall Filters and Network Address Translation NAT Document revision 5 Sep 2002 This document applies to the
118. entering the license key you can enter shutdown to shut down the router and enter the license key later or enter display to read the License Agreement or help to see a help message After entering the correct Software License Key you will be presented with the MikroTik Router s login prompt Logging into the MikroTik Router When logging into the router via terminal console you will be presented with the MikroTik RouterOS login prompt Use admin and no password hit Enter for logging on to the router for the first time for example MikroTik v2 6 Login admin Password The password can be changed with the password command Adding Software Packages The basic installation comes with only the system package and few other packages This includes basic IP routing and router administration To have additional features such as IP Telephony OSPF wireless and so on you will need to download additional software packages The additional software packages should have the same version as the system package If not the package wont be installed Please consult the MikroTik RouterOS Software Package Installation and Upgrading Manual for more detailed information about installing additional software packages Software Licensing Issues If you want to upgrade to a paid version of your MikroTik RouterOS installation please purchase the new Software License KEY for the Software ID you used when getting the free demo license
119. firewall rule in destination nat has to be added specifying which connections to which ports should be transparently redirected to the proxy For example we have the following web proxy settings admin MikroTik ip web proxy gt print enabled yes address 0 0 0 0 3128 hostname proxy mt lv transparent proxy yes parent proxy 10 5 5 1 8080 cache administrator support mt 1lv max object size 10000 kB status running reserved for cache 2633728 kB admin MikroTik ip web proxy gt If we want all connections coming from interface etherl and going to port 80 to handle with web proxy transparently and if our web proxy is listening on port 8080 then we add following destination nat rule admin MikroTik ip firewall dst nat gt add in interface etherl protocol tcp dst address 10 0 0 1 32 80 action redirect to dst port 8080 admin MikroTik ip firewall dst nat gt print MikroTik RouterOS V2 6 Reference Manual 319 WEB Proxy Flags X disabled I invalid 0 src address 0 0 0 0 0 0 65535 in interface etherl dst address 10 0 0 1 32 80 protocol tcp icmp options any any flow src mac address 00 00 00 00 00 00 limit count 0 limit burst 0 limit time 0s action redirect to dst address 0 0 0 0 to dst port 8080 admin MikroTik ip firewall dst nat gt Here the router s address and port 80 10 0 0 1 32 80 have been excluded from redirection to preserve the winbox functionality which uses TCP port 80 on the
120. following examples e Point to Multipoint Wireless Infrastructure e Point to Point with MikroTik Client Peer to Peer or Ad Hoc Wireless LAN e Point to Point with Windows Client Peer to Peer or Ad Hoc Wireless LAN Point to Multipoint Wireless LAN Let us consider the following network setup with WaveLAN ORiNOCO or CISCO Aironet Wireless Access Point as a base station and MikroTik Wireless Router as a client MikroTik RouterOS V2 6 Reference Manual 205 WaveLAN ORiINOCO 2 4GHz 11Mbps Wireless Interface Wireless 2 Accesspoint a Internet ssid mt l frequency 2442 se internat 10 1 1 254 2 4GHz Wireless Network TIMbps Y 10 1 1 0 24 Wireless Router MikroTik interface wavelan1 ssid1 mt mode infrastructure address 10 1 1 12 24 interface ether1 address 192 168 0 254 24 Local Network 192 166 0 0 24 at lt gt Workstation Laptop 192 168 0 1 192 168 0 2 The access point is connected to the wired network s HUB and has IP address from the network 10 1 1 0 24 The minimum configuration required for the AP is 1 Setting the Service Set Identifier up to 32 alphanumeric characters In our case we use ssid mt 2 Setting the allowed data rates at 1 11Mbps and the basic rate at 1Mbps 3 Choosing the frequency in our case we use 2452MHz 4 Setting the identity parameters ip address mask and gateway These are required if you want to access the AP remotely Reminder P
121. frequencies to scan time Time to scan one frequency admin MikroTik interface prism gt scan prisml 00 02 6f 01 5d fe fequency 2412MHz ssid waubonsie_low_apl signal level 132 00 02 6 01 63 0b fequency 2427MHz ssid john signal level 114 00 02 6f 01 62 ee fequency 2462MHz ssid sales signal level 0 admin MikroTik interface prism gt Argument description lt interface gt interface name to use for scanning frequencies list of frequencies to scan for e g 2412MHz 2427MHz time time to scan for one frequency The total time used for scanning is multiplier of this value and the number of frequencies to scan The result of scanning contains a list of discovered access points along with their MAC addresses channel frequencies service set identificators and the measured signal level Logging of Prism Interface The prism interface status changes can be logged locally or to a remote syslog daemon by enabling the logging facility for example admin MikroTik system logging facility gt set Prism Info logging local admin MikroTik system logging facility gt print FACILITY LOGGING PREFIX REMOTE ADDRESS REMOTE PORT 0 Firewall Log none 1 PPP Account none 2 PPP Info none 3 PPP Error none 4 System Info local 5 System Error local 6 System Warning local 7 Prism Info local admin MikroTik system logging facility gt The local logs can be viewed using the log print command
122. from the same network since the P2P connections have addresses with 32 bit netmasks anyway What you set on the server side does not matter so much it can be address of router s another interface or some arbitrary address Please consult General Point to Point Settings manual on authorization filtering and accounting settings Please see the IP Addresses and Address Resolution Protocol ARP Manual how to give out addresses to PPPoE clients from the same address space you are using on your local network PPPoE bandwidth setting For local authentication this can be set in the ppp profile menu with the tx bit rate and rx bit rate values identical to bits s For Radius authentication the account of each user in the radius server should MikroTik RouterOS V2 6 Reference Manual 162 Point to Point Protocol over Ethernet PPPoE be set with Parameter Ascend Data Rat vendor id 529 attribute id 197 in bits s If there is one attribute sent then both tx and rx are set to that rate in b s If there two attributes sent then the first will be the tx and the second will be the rx in bits s This means you need to add two lines to your radius attributes if you want to set tx and rx to different speeds PPPoE in a multipoint wireless 802 11b network In a wireless network the PPPoE server may be attached to our PRISMII 2 4GHz Access Point station mode interface Either our RouterOS client or Windows PPPoE clien
123. function PPP Secret ppp secret submenu defines P2P users ad defines owner and profile for each of them admin MikroTik ppp secret gt print Flags X disabled NAME SERVICE CALLER ID PASSWORD PROFIL 0 ex any 1k3rht defaul admin MikroTik ppp secret gt print detail Flags X disabled 0 name ex service any caller id password 1k3rht profile default local address 0 0 0 0 remote address 0 0 0 0 routes EE El admin MikroTik ppp secret gt Argument description name user name service specifies service that will use this user any async isdn pppoe pptp caller id For PPTP this may be set the IP address which a client must connect from in the form of a b c d For PPPoE the MAC address which the client must connect from can be set in the form or Xx XX XxX Xx XX xXx When this is not set there are no restrictions on from where clients may connect password user password profile profile name for the user local address either address or pool Assigns an individual address to the PPP Server remote address either address or pool Assigns an individual address to the PPP Client routes routes that appear on the server when the client is connected The route format is dst address gateway metric for example 10 1 0 0 24 10 0 0 1 1 Several routes may be specified separated with commas Active Users Current active
124. has been established to the server password verification in progress Connected self explanatory Terminated interface is not enabled or the other side will not establish a connection PPTP Server Setup The PPTP server supports unlimited connections from clients For each current connection a dynamic interface is created The PPTP server management can be accessed under the interface pptp server server submenu You can enable the PPTP server using the set command MikroTik RouterOS V2 6 Reference Manual 166 fadmin MikroTik protocol within IP print get find set add Point to Point Tunnel Protocol PPTP interfac pptp server gt Tunneling means encapsulating data of one protocol type within another protocol and sending it over a channel that understands the encapsulating This particular tunneling driver implements encapsulation of PPP See also general ppp server settings Show PPTP interfaces get value of item s property Find interfaces Change interfac create new item remov nabl Remove interfac nables items disable server export admin admin prin ge se expor admin t ct At a authentication default profile admin MikroTik admin MikroTik authentication default profile admin MikroTik ikroTik ikroTik ikroTik disables items properties interfac PP tp EV r gt server interfac get value of prope
125. i e destination address of the route applying the network mask and prefix length Prefix length match network mask of the received route For example if prefix 172 16 0 0 16 and prefix length 16 24 then received route for 172 16 24 0 24 will match but route for 172 16 24 0 25 will not Copyright 1999 2002 MikroTik MikroTik RouterOS V2 6 Reference Manual 352 Routing Information Protocol RIP Document revision 14 Jan 2003 This document applies to MikroTik RouterOS V2 6 Overview Routing Information Protocol RIP is one protocol in a series of routing protocols based on Bellman Ford or distance vector algorithm This interior routing protocol lets routers in the same autonomous system exchange routing information in the way of periodic RIP updates Routers transmit their own RIP updates to neighboring networks and listen to the RIP updates from the routers on those neighboring networks to ensure their routing table reflects current state of the network and all the best paths are available Best path is a path with the fewest hops routers gateways Topics covered in this manual e RIP Installation on the MikroTik RouterOS e RIP Routing Setup RIP Interface Setup 4 RIP Networks RIP Neighbors RIP Routes 4 Additional Resources e RIP Examples The Configuration of the MikroTik Router The Configuration of the Cisco Router RIP Installation on the MikroTik RouterOS The rip 2 6 y npk package is required
126. identity string of remote peer secret secret string If it starts with Ox it is parsed as a hexadecimal value Manual SA To add manual sa entry use ip ipsec manual sa add command admin MikroTik ip ipsec manual sa gt add ah key A0 0A admin MikroTik ip ipsec manual sa gt print Flags X disabled I invalid 0 name sal ah algorithm null esp auth algorithm null esp enc algorithm null ah key A0 0A esp auth key esp enc key ah spi 100 esp spi 100 admineMikroTik ip ipsec manual sa gt Command parameters are ah algorithm Authentication Header encryption algorithm one of the following md5 128 bit key 4 null any key length shal 160 bit key esp auth algorithm Encapsulating Security Payload authentication encryption algorithm one of the following md5 128 bit key 4 null any key length shal 160 bit key MikroTik RouterOS V2 6 Reference Manual 262 IPsec esp auth algorithm Encapsulating Security Payload encryption algorithm one of the following md5 128 bit key 4 null any key length shal 160 bit key ah key incoming authentication key outgoing authentication key ah spi incoming SA SPl outgoing SA SPI in hexadecimal May be equal esp auth key incoming authentication key outgoing authentication key esp enc key incoming encryption key outgoing encryption key esp spi incoming SA SP
127. in or out that will install rule only for incoming or outgoing traffic Multiple filter id can be provided but only last ones for incoming and outgoing is used Acct Interim Interval interim update for RADIUS client if 0 uses the one specified in RADIUS client MS MPPE Encryption Policy require encryption parameter MS MPPE Encryption Type use encryption parameter Non 0 value means use encryption Ascend Data Rate tx rx data rate limitation for PPPoE If multiple attributes are provided first limits tx data rate second rx data rate 0 if unlimited MS CHAP2 Success auth response if MS CHAPv2 was used MS MPPE Send Key and MS MPPE Recv Key ncryption keys for encrypted PPP PPTP and PPPoE provided by RADIUS server only is MS CHAPv2 was used as authentication for PPP PPTP PPPoE only Accounting information sent to server Accounting Request Acct Status Type Start Stop or Interim Update Acct Session Id accounting session ID Service Type same as in request Framed Protocol same as in request MikroTik RouterOS V2 6 Reference Manual 151 General Point to Point Settings NAS Identifier same as in request User Name same as in request NAS Port Type same as in request NAS Port Id same as in request Calling Station Id same as in request Called Station Id same as in request Acct Authentic authenticated by whom Framed IP Address IP address given to the user Class RADIUS server cook
128. interface ipip gt print Flags X disabled R running AME MTU LOCAL ADDRESS REMOTE ADDRESS 0 X test_IPIP 1480 10 0 0 204 100200 DE admin MikroTik interface ipip gt enable 0 admin MikroTik interface ipip gt print Flags X disabled R running E MTU LOCAL ADDRESS REMOTE ADDRESS OR test_IPIP 1480 10 0 0 204 10 0 0 171 admin MikroTik interface ipip gt D t El Descriptions of settings name Interface name for reference mtu Maximum Transmit Unit Should be set to 1480 bytes to avoid fragmentation of packets May be set to 1500bytes 1f mtu path discovery is not working properly on links local address Local address on router which sends IPIP traffic to the remote side remote address The IP address of the other side of the IPIP tunnel may be any RFC 2003 compliant router Use ip address add command to assign an IP address to the IPIP interface There is no authentication or state for this interface The bandwidth usage of the interface may be monitored with the monitor feature from the interface menu The router at the other end should have the remote address set to MikroTik IPIP CISCO Example Our IPIP implementation has been tested with Cisco 1005 Sample of the Cisco 1005 configuration interface Tunnel0 ip address 10 3 0 1 255 255 255 0 tunnel source 10 0 0 171 tunnel destination 10 0 0 204 tunnel mode ipip Additio
129. interface set to send M3P packets expected size the average size packet you expect for aggregation i e if your VoIP generates 100 byte packets this would be the expected size This is used by the protocol to determine if it should wait for another packet to complete the aggregated packet determined by the aggregated size setting or send an aggregated packet immediately even though it has not reached the size of the aggregated size setting aggregated size the maximum size of the aggregated packet the suggested setting is 1000 bytes and the maximum setting is the MTU size of the interface generally 1500 bytes To see the interface settings use admin MikroTik ip packing interface gt print Flags X disabled INTERFACE 0 X bridgel 1 X etherl 2 X Local219 3 wireless admin MikroTik ip packing interface gt Copyright 1999 2002 MikroTik Copyright 1999 2002 MikroTik MikroTik RouterOS V2 6 Reference Manual 304 MikroTik Neighbor Discovery Protocol MNDP Document revision 9 Aug 2002 This document applies to the MikroTik RouterOS v2 6 Overview The MikroTik Neighbor Discovery Protocol MNDP eases configuration and management by enabling each MikroTik router to discover other connected MikroTik routers and learn information about the system and features which are enabled The MikroTik routers can then automatically use set features with minimal or no configuration MN
130. interface the tunnel is working over decreased by 40 so for 1500 byte ethernet link set the MRU to 1460 to avoid fragmentation of packets connect to the IP address of the PPTP server to connect to user user name to use when logging on to the remote server password user password to use when logging to the remote server profile profile to use when connecting to the remote server add default route When the PPTP connection is up the default route gateway will be added using as gateway the other side of the PPP link If the PPTP client is configured properly and it has established a connection to the server you can 1 Monitor the connection using the interface pptp client monitor command 2 See the pptp out interface under the interface print list 3 See the dynamic IP address under the ip address print list 4 if add default route is set to yes See the dynamic default route under the ip route print list Example of an established connection admin MikroTik interface pptp client gt monitor test2 uptime 4h35s encoding MPPE 128 bit stateless status Connected admin MikroTik interface pptp client gt Description of display uptime Connection time displayed in days hours minutes and seconds encoding Encryption being used in this connection status The status of this client may be Dialing attempting to make a connection Verifying password connection
131. is displayed You can try to clear the winbox cache or wipe out the cache folder and then reload the plugins To clear the winbox plugin cache on your computer choose the Clear Cache option in the Winbox system menu of the login window m RouterOS WinBox Spx Restore Move Size Minimize We RECT ea Wi SrA ithe Close AFA Cancel Clear Cache To wipe out the winbox plugin cache on your computer find the cache file location using the registry Key HKEY_CURRENT_USER Software Microsoft Windows CurrentVersion Explorer ShellFolders AppData For example for the user Administrator on W2K the Winbox folder is under C Documents and Settings Administrator Application Data Mikrotik On W95 98 the Winbox folder is under C Windows Application Data Mikrotik e J still cannot open the Winbox Console The Winbox Console uses TCP port 3987 Make sure you have access to it through the firewall MikroTik RouterOS V2 6 Reference Manual 15 Configuring Basic Functions Working with Interfaces Before configuring the IP addresses and routes please check the interface menu to see the list of available interfaces If you have PCI Ethernet cards installed in the router it is most likely that the device drivers have been loaded for them automatically and the relevant interfaces appear on the interface print list for example admin MikroTik interface gt print Flags X disabled D dynamic R ru
132. is used instead So there is no use of specifying to srce address for src nat rules with action masquerade and no use of specifying to dst address for dst nat rules with action redirect Note that to dst port is meaningful for REDIRECT rules this is port on which service on router that will handle these requests is sitting e g web proxy When packet is dst natted no matter action nat or action redirect dst address is changed Information about translation of addresses including original dst address is kept in router s internal tables Transparent web proxy working on router when web requests get redirected to proxy port on router can access this information from internal tables and get address of web server from them If you are dst natting to some different proxy server it has no way to find web server s address from IP header because dst address of IP packet that previously was address of web server has changed to address of proxy server Starting from HTTP 1 1 there is special header in HTTP request which tells web server address so proxy server can use it instead of dst address of IP packet If there is no such header older HTTP version on client proxy server can not determine web server address and therefore can not work It means that it is impossible to correctly transparently redirect HTTP traffic from router to some other transparent proxy box Only correct way is to add transparent proxy on the router itself
133. it and enable the service admin MikroTik snmp gt set contact Sysadmin 555 1212 location MikroTik enabled yes admin MikroTik snmp gt print enabled yes MikroTik RouterOS V2 6 Reference Manual 416 SNMP Service contact Sysadmin 555 1212 location MikroTik admin MikroTik snmp gt Description of arguments contact location Informative only settings for the NMS enabled SNMP service is disabled by default SNMP Communities Community management can be accessed under the snmp community menu The default community for the SNMP is public admin MikroTik snmp gt community admin MikroTik snmp community gt print NAME READ ACCESS 0 public yes admineMikroTik snmp community gt Argument description name Community name read access Enables or disables the read access for the community You can add new communities and change the read access type for example admin MikroTik snmp community gt set public read access no admin MikroTik snmp community gt add name private admin MikroTik snmp community gt print NAME READ ACCESS 0 public no 1 private no admin MikroTik snmp community gt Tools for SNMP Data Collection and Analysis MRTG Multi Router Traffic Grapher is the most commonly used SNMP monitor http ee staff ethz ch oetiker webtools mrtg Example of using MRTG with Mikrotik SNMP Here is a example configuration file for
134. just one internal number This example prints all ethernet interfaces each followed by all addresses that are assigned to it admin MikroTik gt foreach i in interface find type ether do put interface get Si name foreach j in ip address find interface i do put ip address get j address Hassi E ether1 ether2 10 0 0 65 24 admin MikroTik gt delay This command does nothing for a given amount of time The unnamed argument should be a time interval value It is optional and if delay is executed without any arguments it does nothing for one second e time This command takes one unnamed argument containing console commands Commands are executed and the time it took to execute them is printed and returned admin MikroTik gt time delay 1756ms Li PODS 335 admin MikroTik gt put time delay 1 007464s 1s7 464ms admin MikroTik gt e log This command adds an entry in the system logs message argument is the text of log entry facility argument tells at which logging facility see system logging facility this message should be logged the default is System Info admin MikroTik gt log facility System Warning message Very Bad Thing happened admin MikroTik gt e environment print This command prints information about variables All global variables in the system are listed under heading Global Variables All variable names that are introduced in th
135. kroTik RouterOS v2 6 c 1999 2002 http www mikrotik com Terminal xterm detected using multiline mode fadmin MikroTik gt The command prompt shows the identity name of the router and the current menu level for example MikroTik gt MikroTik interface gt MikroTik ip address gt Base level menu IP Address management Interface configuration The list of available commands at any menu level can be obtained by entering the question mark for example admineMikroTik gt driver Driver management file Local router file storage import Run exported configuration script interfac Interface configuration log System logs password Change password ping Send ICMP Echo packets port Serial ports quit Quit console redo Redo previosly undone action setup Do basic setup of system undo Undo previous action user User management Ppp snmp snmp settings isdn channels ISDN channel status info ip queue Bandwidth management system System information and utilities tool routing export admin MikroTik gt ip accounting Traffic accounting address Address management arp ARP entries management dns DNS settings firewall Firewall management neighbour neighbours packing Packet packing settings pool IP address pools route Route management MikroTik RouterOS V2 6 Reference Manual Navigating the Terminal Console service policy routing dhcp client DHCP client settings dhcp server DHCP server settin
136. mac address MAC address Cannot be changed distance distance setting for the link 0 10 2km rx diversity Receive diversity disabled enabled tx diversity Transmit diversity disabled enabled default destination default destination ap as specified first ap first client no destination It sets the destination where to send the packet if it is not for a client in the radio network default address MAC address of a host in the radio network where to send the packet if it is for none of the radio clients max retries maximum retries before dropping the packet sid Service Set Identifier card name Card name arp Address Resolution Protocol one of the disabled the interface will not use ARP protocol enabled the interface will use ARP protocol proxy arp the interface will be an ARP proxy see corresponding manual 4 reply only the interface will only reply to the requests originated to its own IP addresses but neighbour MAC addresses will be gathered from ip arp statically set table only You can monitor the status of the wireless interface fadmin MikroTik interface radiolan gt monitor radiolanl default 00 00 00 00 00 00 valid no fadmin MikroTik interface radiolan gt Here the wireless interface card has not found any neighbour To set the wireless interface for working with another wireless card in a point to point link you should set
137. manages in ip hotspot user submenu admin MikroTik ip hotspot user gt print Flags X disabled NAME PASSWORD ADDRESS PROFIL 0 ax ex 10 0 0 3 defaul admin MikroTik ip hotspot user gt print detail Flags X disabled 0 name ax password ex address 10 0 0 3 profile default routes limit uptime 0s limit bytes in 0 limit bytes out 0 uptime 29m40s bytes in 187476 packets in 683 bytes out 327623 packets out 671 admin MikroTik ip hotspot user gt UPTIME 29m40s FFO VA Parameter description name user name password user password address static IP address If not 0 0 0 0 client will get always the same IP address It implies that only one simultaneous login for that user is allowed profile user profile routes user routes Usage and meaning is exactly the same as for ppp MikroTik RouterOS V2 6 Reference Manual 240 HotSpot Gateway limit bytes in maximum amount of bytes user can receive limit bytes out maximum amount of bytes user can transmit limit uptime total uptime limit for user pre paid time If auth mac parameter is enabled clients MAC addresses written with CAPITAL letters can be used as usernames If auth mac password is set to no there should be no password for that users Else the username and the password should be equal When client is connecting it s MAC address is checked first If there is a user with that MAC address the client is
138. match any of the destination patterns therefore it is rejected If nr 123456 it does not match any of the destination patterns therefore it is rejected If nr 1234 it does not match any of the destination patterns incomplete for record 0 therefore it is rejected If nr 12345 it matches the record 0 therefore number is dialed over the voice port XX If nr 11111 it matches the record 1 therefore number 1 is dialed over the voice port YY If nr 22987 it matches the record 2 therefore number 333987 is dialed over the voice port ZZ If nr 22000 it matches the record 2 therefore number 333000 is dialed over the voice port ZZ If nr 444 it matches the record 3 therefore number 55444 is dialed over the voice port QQ Let us add a few more records admin MikroTik ip telephony numbers gt print Flags I invalid X disabled DST PATTERN VOICE PORT PREFIX 4 222 KK 44444 5 Ses LL 553 admin MikroTik ip telephony numbers gt If nr 222 gt the best match is the record 4 gt nc 44444 vp KK The best match means that it has the most coinciding digits between the nr and destination pattern If nr 221 gt incomplete record 2 gt call is rejected If nr 321 gt the best match is the record 5 gt nc 55321 vp LL If nr 421 gt matches the record 3 gt nc 55421 vp QQ If nr 335 gt the best match is the record 5 gt nc 55321 vp LL MikroTik RouterOS V2 6 Reference Ma
139. metric connected metric the distance to the destination for connected routes e metric ospf metric the distance to the destination for OSPF routes e metric bgp metric the distance to the destination for BGP routes update timer time period for RIP update to start e timeout timer time period after route is not valid more e garbage timer time period after dropped out route is dropped from neighbor router table Set the desired argument values to yes for redistributing the routing information to other routers for example admineMikroTik admineMikroTik routing rip gt set redistribut routing rip gt print connected yes redistribute static no redistribute connected yes redistribute ospf no redistribute bgp no metric static 1 metric connected 1 metric ospf 1 metric bgp 1 update timer 30s timeout timer 3m garbage timer 2m fadmin MikroTik routing rip gt Note that maximum metric of RIP route can be 15 Metric higher than 15 is considered infinity and routes with such metric are considered unreachable Thus RIP cannot be used on networks with more than 15 hops between any two routers and using redistribute metrics larger that 1 further reduces this maximum hop count RIP Interface Setup To run RIP you don t have to configure interfaces routing rip interface command level is only for additional configuration of RIP specific interface parameters
140. no 7 framerelay 2 6betal aug 09 2002 20 52 09 no admineMikroTik gt Line 7 shows that required package framerelay 2 6beta4 npk is installed Package enables Frame Relay PVC Permanent Virtual Circuit interface which acts as a logical network interface where endpoints and class of service are defined by network management This MikroTik RouterOS V2 6 Reference Manual 113 FrameRelay PVC Interfaces logical interface is using one of supported Moxa or Cyclades synchronous adapters as a physical interface Configuring Frame Relay Interface To configure frame relay you should first set up the synchronous interface and then the PVC interface Cyclades PC300 interface admin MikroTik gt interface cyclades print Flags X disabled R running O R name cyclades1 mtu 1500 line protocol sync ppp media type V35 clock rate 64000 clock source external line code B8ZS framing mode ESF line build out 0dB rx sensitivity short haul frame relay l1mi type ansi frame relay dce no chdlc keepalive 10s fadmin MikroTik gt Argument description e name Assigned name of the interface e mtu Maximum Transfer Unit of an interface e line protocol Line protocol cisco hdlc frame relay sync ppp e media type The hardware media used for this port E1 T1 V24 V35 X21 e clock rate Speed of the clock e clock source Source of the clock external internal tx internal e lin
141. not included in the Free Demo or Basic Software License The 2 4GHz Wireless Feature cannot be obtained for the Free Demo License It can be obtained only together with the Basic Software License System Resource Usage Before installing the wireless adapter please check the availability of free IRQ s and I O base addresses admin MikroTik gt system resource irq print Flags U unused IRQ OWNER de keyboard APIC 2 3 4 syncl 5 Wavelan 802 11 6 7 8 U 9 U 10 11 etherl U 12 13 FPU 14 IDE 1 admin MikroTik gt system resource io print PORT RANGE OWNER 20 3F APIC 40 5F timer 60 6F keyboard 80 8F DMA AO BF APIC CO DF DMA FO FF FPU 100 13F Wavelan 802 11 MikroTik RouterOS V2 6 Reference Manual 202 WaveLAN ORiNOCO 2 4GHz 11Mbps Wireless Interface 1F0 1F7 IDE 1 3C0 3DF VGA 3F6 3F6 IDE 1 CF8 CFF PCI confl 1000 100F Silicon Integrated Systems SiS 5513 IDE 1000 1007 IDE 1 1008 100F IDE 2 6000 60FF Realtek Semiconductor Co Ltd RTL 8139 6000 60FF 8139too 6100 61FF Realtek Semiconductor Co Ltd RTL 8139 2 6100 61FF 8139too admin MikroTik gt Installing the Wireless Adapter Check the system BIOS settings for peripheral devices like Parallel or Serial communication ports Disable them 1f you plan to use IRQ s assigned to them by the BIOS Please note that not all combinations of I O base addresses and IRQ s may work on your motherboar
142. oie A tases eee RSTn REND AR ae ha Neth E EAEI ASTETE 11 Starting the Winbox Consoles aaea aaae EEEE EEE EED teis EDON KEAR aiii 11 Overview of Common Functions sei a a a e a a a aa aa a aa eaaa ae 14 Troubleshooting for Winbox Console eeccecccessseesssecesseeceececseeeesecessaeceeaeeeeaeeceeeesaeeeeaaeceeaeceeaeeeaees 15 Config uring Basic FUNCCHONS lt scisseccccsscscssscssescscsecsesesossecessecssencescoossasescvessstedessssnsesnssdeassoesdesesed soasostecesensssesses 16 Working with Interfaces siisii dees aT EATE E aa AE E aaa Soak teas anasto a tae 16 Use of the setup Comm isien ineeie ni EE NEE a EAEE EEE ENEE E EEE fin 17 Adding Addresses nehaste teene a e dente A i 17 Configuring the Default ROULE oooooccnnnnccnoccccnocnnonnccnnnccnnncononccnnnnnonnnannn no cnnn E AREER EEEE O ei 18 Testing the Network C nnectivity ieni iiep iaieineea a EE EEEE Aa a a Sa 18 Application Examples iccsccosdssssscsscovstesonscsesascesstssvursesetvectecseoed eseds senscsvesesssasendssvousecsuesdocecdeoacsesess estoredccdenadisnts 20 Application Example with Masquerading cecccessccesssecesseceeeeecseeeaeceeaaeceaeeceeeeeeeeeeaeceeaaeneaeeeeeeens 20 Application Example with Bandwidth Management 0 0 0 ceccecsseeseeceencecesceceeeeeeeeeeeaeceeaeeeeaeeeeeeeees 20 Application Example with NAT cess csiestacasccescsevankescageslecaestensaaceuaddaeetilsacwsstacagesceddans aladas ici 21 MikroTik RouterOS V2 6 Reference Manual
143. or shal enc algorithm none des 3des aes src address source of SA from policy configuration dst address destination of SA from policy configuration auth key authentication key as hex string enc key encryption key as hex string only used by ESP SAs direction in or out current addtime time when this SA was installed current usetime time when this SA was first used current bytes amount of data processed by this SA s crypto algorithms add lifetime expiration time counted from installation of SA soft hard use lifetime expiration time counter from the first use of SA soft hard gt lifebytes expiration threshold for amount of processed data soft hard Counters Prints miscellaneous counters admin MikroTik ip ipsec gt counters print out accept 2298 out drop 0 out encrypt 4 in accept 3497 in drop 0 in decrypted 4 in accept isakmp 20 out accept isakmp 12 in drop encrypted expected 0 admin MikroTik ip ipsec gt Description of the printout out accept how many outgoing packets were matched by accept policy including the default accept all case MikroTik RouterOS V2 6 Reference Manual 264 IPsec out accept isakmp how many locally originated UDP packets on source port 500 which is how ISAKMP packets look were let through without policy matching out drop how many outgoing packets were matched by drop policy or enc
144. ours ip ipsec peer add address 10 0 0 81 500 exchange mode main send initial contact no proposal check obey hash algorithm sha A enc algorithm 3des dh group modp1024 2 Add pre shared secret to identify remote client ip ipsec pre shared secret add address 10 0 0 81 secret x x xx xx 3 Add encryption proposal Use MDS DES and Diffie Hellman Group 1 for Perfect Forward Secrecy ip ipsec proposal add name sw client auth algorithms md5 enc algorithms des lifetime 30m pfs group modp7168 4 Add policy rule that matches traffic between remote client and 1 1 1 0 24 network use ESP in tunnel mode to encript all data ip ipsec policy add src address 1 1 1 0 24 dst address 10 0 0 81 32 action encrypt ipsec protocols esp tunnel yes sa src address 10 0 0 204 sa dst address 10 0 0 81l proposal sw client Configuring SonicWALL Here you create IPSec policy that should match all traffic between 10 0 0 81 host and 1 1 1 0 24 network You also specify the address of remote IPSec peer AS Security Policy Editor SonicWALL PN Client File Edit Options Help 12 BalFc x ta 14 Network Security Policy 2 23 My Connections E E amp myc onnection 3 My Identity a aal Security Policy B E Authentication Phase 1 E Proposal 1 lt a Key Exchange Phase 2 i 3 Proposal 1 Ds Other Connections r Connection Security Secure Nor secure S Block Remote Party Identity and Address
145. pad If the number is incorrect busy tone is played If the number is correct then the appropriate number is dialed If it is an incoming call from the PSTN line linejack then the directcall mode is used the line is picked up only after the remote party answers the call playback volume playback volume in dB 0dB means no change possible values are 48 48dB record volume recording volume in dB OdB means no change possible values are 48 48dB ring cadence only for quicknet cards a 16 symbol ring cadence for the phone each symbol is 0 5 seconds means ringing means no ringing region regional setting for the voice port For phonejack this setting is used for generating the tones For linejacks this setting is used for setting the parameters of PSTN line as well as for detecting and generating the tones aec echo detection and cancellation Possible values are yes and no If the echo cancellation is on then the following parameters are used aec tail length size of the buffer of echo detection Possible values are short medium long aec nIp threshold level of cancellation of silent sounds Possible values are off low medium high aec attenuation scaling factor of additional echo attenuation Possible values are 0 10 aec attenuation boost level of additional echo attenuation Possible values are 0 90dB software aec software echo cancelle
146. parent name of the parent queue The top level parents are the available interfaces actually main CBQ Lower level parents can be other queues Dynamic queues created with the simple queue tool cannot be used as parents flow flow mark of the packets to be queued Flow marks can be assigned to the packets under ip firewall mangle when the packets enter the router through the incoming interface limit at Maximum stream bandwidth bits s 0 means no limit default for the interface max burst Maximal number of packets allowed for bursts of packets when there are no packets in the queue Set to 0 for no burst queue queue type See the queue type for available types priority Flow priority 1 8 1 is the highest weight Flow weight in the Weighted Round Robin process allot Number of bytes allocated for the bandwidth Should not be less than the MTU for the interface bounded Queue is bounded To apply queues on flows the mangle feature should be used first to mark incomming packets admin MikroTik ip firewall mangle gt add action passthrough mark flow abc http protocol tcp src port 80 admin MikroTik ip firewall mangle gt print Flags X disabled I invalid 0 src address 0 0 0 0 0 80 in interface all dst address 0 0 0 0 0 0 65535 protocol tcp tcp options any icmp options any any flow srec mac address 00 00 00 00 00 00 limit count 0 limit burst 0 limit time 0s action pas
147. pc gt The other router of the point to point link requires the operation mode set to ad hoc the System Service Identificator set to b_link and the channel frequency set to 2412MHz If the radios are able to establish RF connection the status of the card should become synchronized and the green status led become solid immediately after entering the command admin wnet_gw bitrate auto admin wnet_gw admin wnet_gw interface pc gt set 0 mode ad hoc ssidl b_link frequency 2412MHz interface pc gt mo 0 synchronized associated frequency data rate ssid access point access point name signal quality signal strength error number yes no 2442MHz 11Mbit s be Jenks 2E 00 B8 01 98 01 131 83 0 interface pc gt MikroTik RouterOS V2 6 Reference Manual As we see the MAC address under the access point parameter is the same as generated on the first router If desired IP addresses can be assigned to the wireless interfaces of the pint to point link routers using a smaller subnet say 30 bit one admineMikroTik admineMikroTik lp address gt add address 192 168 11 1 30 interface aironet ip address gt print 92 CISCO Aironet 2 4GHz 11Mbps Wireless Interface Flags X disabled I invalid D dynamic ADDRESS NETWORK BROADCAST INTERFACE 0 192 168 11 1 30 192 168 11 0 192 168 1143 aironet 1 192 168 0 254 24 192 168 0 0 192 168 0 255
148. pong 0 2 64 byte pong 0 2 64 byte pong 0 2 64 byte pong 4 tt1 255 time 3 ms tt1 255 time 4 ms tt1 255 time 10 ms tt1 255 time 5 ms packets received 3 10 5 10 ms ip address gt ping 10 10 10 tt1 255 time 10 ms tt1 255 time 11 ms tt1 255 time 10 ms tt1 255 time 13 ms packets received 10 11 13 ms MikroTik RouterOS V2 6 Reference Manual ip address gt ping 10 10 10 1 1 64 byte pong 1 64 byte pong 1 64 byte pong 1 64 byte pong 0 packet loss 2 0 packet loss 199 Virtual LAN VLAN Interface admin MikroTik ip address gt Additional Resources Links for VLAN documentation http www csd uwo ca courses CS457a reports handin pbojtos A2 trunking htm http www cisco com univercd cc td doc product software os121 121newft 121t 121t3 dtbridge htm xtocid114533 http www cisco com warp public 473 27 html tag ging http www cisco com warp public 538 7 html http www nwfusion com news tech 2001 0305tech html http www intel com network comnectivity resources doc_library tech brief virtual lans htm Currently Supported Interfaces This is a list of network interfaces on which VLAN was tested and worked e Realtek 8139 e Intel PRO 100 e Intel PRO1000 server adapter This is a list of network interfaces on which VLAN was tested and worked but WITHOUT LARGE PACKET gt 1496 bytes SUPPORT 3Com 3c59x PCI e DEC 21140 tulip Copyright 1999 2002 MikroTik MikroTik RouterOS
149. pppoe in25 3 DC 10 0 0 231 32 r 0 0 0 0 0 pppoe in26 admin MikroTik ip arp gt Using Unnumbered Interfaces The unnumbered interfaces can be used on serial point to point links e g MOXA C101 Cyclades interfaces A private address should be put on the interface with the network being the same as an address on the router on the other side of the p2p link there may be no IP on that interface but there is an ip for that router For example admin MikroTik ip address gt add address 10 0 0 214 32 network 192 168 0 1 interface pppsync MikroTik RouterOS V2 6 Reference Manual 252 IP Addresses and Address Resolution Protocol ARP admin MikroTik ip address gt print Flags X disabled I invalid D dynamic ADDRESS NETWORK BROADCAST INTERFACE 0 10 0 0 214 32 192 168 001 192 168 0 1 pppsync admin MikroTik ip address gt admin MikroTik ip address gt route print detail Flags X disabled I invalid D dynamic J rejected connect S static R rip O ospf B bgp O S dst address 0 0 0 0 0 preferred source 0 0 0 0 gateway 192 168 0 1 gateway state reachable distance 1 interface pppsync 1 DC dst address 192 168 0 1 32 preferred source 10 0 0 214 gateway 0 0 0 0 gateway state reachable distance 0 interface pppsync admin MikroTik ip address gt Here you can see that a dynamic connected route has been automatically added to the routes list If you want
150. processed in that chain If the packet has not matched any rule within the chain then the default policy action of the chain is performed The list of currently defined chains can be viewed using the ip firewall print command admin MikroTik ip firewall gt print NAME POLICY O input accept 1 forward accept 2 output accept MikroTik RouterOS V2 6 Reference Manual 222 Firewall Filters and Network Address Translation NAT admineMikroTik ip firewall gt These three chains cannot be deleted The available policy actions are e accept Accept the packet e drop Silently drop the packet without sending the ICMP reject message e none N A You can change the chain policies by using the ip firewall set command Note Be careful about changing the default policy action to these chains You may lose the connection to the router if you change the policy to drop and there are no rules in the chain that allow connection to the router Usually packets should be matched against several criteria More general filtering rules can be grouped together in a separate chain To process the rules of additional chains the ump action should be used to this chain from another chain To add a new chain use the ip firewall add command admin MikroTik ip firewall gt add name router admin MikroTik ip firewall gt print NAME POLICY O input accept 1 forward accept 2 output accept 3 router none admin
151. proxy print to see the current web proxy status admin MikroTik ip web proxy gt print enabled yes address 0 0 0 0 3128 hostname proxy mt lv transparent proxy yes parent proxy 10 5 5 1 8080 cache administrator support mt lv max object size 10000 kB status running reserved for cache 2633728 kB admin MikroTik ip web proxy gt Description of the parameters enabled whether web proxy is enabled or not address IP address 0 0 0 0 for any and port mandatory on which proxy will listen for MikroTik RouterOS V2 6 Reference Manual 316 WEB Proxy requests hostname hostname DNS or IP address of the web proxy transparent proxy use transparent mode parent proxy upper level proxy Use 0 0 0 0 0 to disable parent proxy max object size objects larger than this size will not be saved on disk The value is specified in kilobytes and the default is 4096 If you wish to get a high bytes hit ratio you should probably increase this one 32 MB object hit counts for 3200 10KB hits If you wish to increase speed more than your want to save bandwidth you should leave this low status displays status of the proxy server Can be one of the following stopped proxy is disabled and is not running rebuilding cache proxy is enabled and running existing cache is being verified running proxy is enabled and running stopping proxy is shutting down max 10s clearing cache p
152. q162 8 47 asp http www ietf org rfc rfc2637 txt number 2637 http www ietf org rfc rfc3078 txt number 3078 http www ietf org rfc rfc3079 txt number 3079 O Copyright 1999 2002 MikroTik MikroTik RouterOS V2 6 Reference Manual 173 Prismll Wireless Client and Wireless Access Point Manual Document revision 25 Nov 2002 This document applies to the MikroTik RouterOS V2 6 Overview The MikroTik RouterOS supports the PrismII chipset based wireless adapter cards for working both as wireless clients station mode and wireless access points ap bridge or bridge mode See the list of supported Pirsm II chipset based hardware at the end of the document Both PCI and PCMCIA card types are supported For more information about adapter hardware please see the relevant User s Guides and Technical Reference Manuals of the hardware manufacturers Check Notes on PCMCIA Adapters for more information on PCMCIA adapters Contents of the Manual The following topics are covered in this manual e Supported Network Roles Wireless Client Wireless Access Point Wireless Bridge e Installation License System Resource Usage Installing the Wireless Adapter Loading the Driver for the Wireless Adapter e Wireless Interface Configuration e Station Mode Configuration e Monitoring the Interface Status e Access Point Mode Configuration Registration Table Access List Registering the Access Point to another Acc
153. retries average retries min retries O 00 Foe sent 11 successfully sent 11 max retries 0 average retries 0 min retries 0 sent 21 successfully sent 21 max retries 0 average retries 0 min retries 0 sent 31 successfully sent 31 max retries 0 average retries 0 min retries 0 sent 41 successfully sent 41 max retries 0 average retries 0 min retries 0 sent 50 successfully sent 50 max retries 0 average retries 0 min retries 0 admineMikroTik interface radiolan gt MikroTik RouterOS V2 6 Reference Manual 195 RadioLAN 5 8GHz Wireless Interface Wireless Troubleshooting e The radiolan interface does not show up under the interfaces list Obtain the required license for RadioLAN 5 8GHz wireless feature The wireless card does not obtain the MAC address of the default destination Check the cabling and antenna alignment Wireless Network Applications Point to Point Setup with Routing Let us consider the following network setup with two MikroTik Routers having RadioLAN interfaces e The Router 1 has IP address netmask 10 1 1 12 24 on the Ethernet interface etherl and 10 1 0 1 30 on the RadioLAN interface radiolan1 e The Router 2 has IP address netmask 192 168 0 254 24 on the Ethernet interface etherl and 10 1 0 2 30 on the RadioLAN interface radiolan1 The minimum configuration required for the RadioLAN interfaces of both routers is 1 Setting the Service Set Identifier up t
154. same as in request from version 2 6 9 Called Station Id same as in request from version 2 6 9 Framed IP Address IP address given to the user RADIUS attributes additionally included in Stop and Interim Update Accounting Request packets Acct Session Time connection uptime in seconds Acct Input Octects bytes received from the client Acct Input Packets packets received from the client Acct Output Octets bytes sent to the client Acct Output Packets packets sent to the client Stop Accounting Request packets can additionally have Acct Terminate Cause session termination cause described in RFC2866 Ch 5 10 HotSpot Profiles The HotSpot profiles are similar to PPP profiles admin MikroTik ip hotspot profile gt print Flags default 0 name default session timeout 0s idle timeout 0s only one no tx bit rate 0 incoming filter outgoing filter admin MikroTik ip hotspot profile gt Most of these parameters are exactly the same as for ppp profile name profile name session timeout session timeout for client idle timeout idle timeout for client only one only one simultaneous login per user yes no tx bit rate transmit bitrate 0 means no limitation incoming filter firewall chain name for incoming packets MikroTik RouterOS V2 6 Reference Manual 239 HotSpot Gateway outgoing filter firewall chain name for outgoing packets Default profile will be used in case of
155. script admin MikroTik system script gt add name start_limit source queue simple set Cust0 limit at 64000 admin MikroTik system script gt add name stop_limit source queue simple set Cust0 limit at 128000 admin MikroTik system script gt print 0 name start_limit source queue simple set Cust0 limit at 64000 owner admin run count 0 1 name stop_limit source queue simple set Cust0 limit at 128000 owner admin run count 0 admin MikroTik system script gt scheduler admin MikroTik system scheduler gt add interval 24h name set 64k start time 9 00 00 script start_limit admin MikroTik system scheduler gt add interval 24h name set 128k start time 17 00 00 script stop_limit admin MikroTik system scheduler gt print Flags X disabled NAME SCRIPT START DATE START TIME INTERVAL RUN COUNT 0 set 64k start oct 30 2008 09 00 00 ld 0 1 set 128k stop_ oct 30 2008 17 00 00 ld 0 admin MikroTik system scheduler gt The following setup schedules script that sends each week backup of router configuration by e mail admin MikroTik system script gt add name e backup source system backup save name email tool mail send to root host com subject system identity get name Backup file email backup admin MikroTik system script gt print 0 name e backup source system backup save name ema owner admin run count
156. server The PPTP client management can be accessed under the interface pptp client submenu You can add a PPTP client using the add command admin MikroTik interface pptp client gt add creates new item with specified property values add default rout connect to PPTP server address copy from item number disabled mru Maximum Receive Unit mtu Maximum Transfer Unit nam New interface nam password profile user User name to use for dialout admin MikroTik interface pptp client gt add name test2 connect to 10 1 1 12 user john add default route yes password john admin MikroTik interface pptp client gt print Flags X disabled R running 0O X name test2 mtu 1460 mru 1460 connect to 10 1 1 12 user john password john profile default add default route yes fadmin MikroTik in fadmin MikroTik in uptime 0s encoding status Terminated rface pptp client gt enable 0 rface pptp client gt monitor test2 MikroTik RouterOS V2 6 Reference Manual 165 Point to Point Tunnel Protocol PPTP admin MikroTik interface pptp client gt Descriptions of settings name interface name for reference mtu Maximum Transmit Unit The optimal value is the MTU of the interface the tunnel 1s working over decreased by 40 so for 1500 byte ethernet link set the MTU to 1460 to avoid fragmentation of packets mru Maximum Receive Unit The optimal value is the MTU of the
157. snapshot image with standard Unix Linux utilities e Collection of snapshot image with MT_Syslog utility e Viewing of snapshot image from the console Topics covered in this manual e Installation e Hardware Resource Usage e Traffic accounting setup e Traffic data description e Threshold settings e Traffic data display and collection e Traffic data analysis e Additional Resources Installation The Traffic Accounting feature is included in the system package No installation is needed for this feature Hardware Resource Usage The maximum number threshold of IP pairs stored may require additional RAM installation Each IP pair uses approximately 100 bytes The system uses a current table which accounts for current data The system also keeps the snapshot table for retrieval Therefore the memory usage for the IP pairs can be calculated with number of IP pairs x 100 bytes x 2 for the two tables The default threshold of IP pairs is set to 256 50KB When using the default threshold setting of 256 no additional memory is suggested For threshold settings higher than 6500 1MB memory usage estimates should be made system resources should be monitored and RAM should be increased accordingly The maximum setting is 8192 IP pairs MikroTik RouterOS V2 6 Reference Manual 299 IP Traffic Accounting Traffic accounting setup admineMikroTik ip accounting gt set enabled yes admin MikroTik ip accounting gt print thres
158. software package Troubleshooting e Driver for a PCI or PC card does not load automatically Check for a possible IRQ or IO conflict with other devices e The driver cannot be found on the system Upload the required software package containing the required drivers and reboot the router el have loaded the driver but the interface does not show up Obtain the required software license to enable the functionality of the interface O Copyright 1999 2002 MikroTik MikroTik RouterOS V2 6 Reference Manual 64 General Interface Settings Document revision 23 Sep 2002 This document applies to the MikroTik RouterOS V2 6 Overview MikroTik RouterOS supports a variety of Network Interface Cards and virtual interfaces like VLAN interface Bridge interface etc Current Manual describes general settings for MikroTik RouterOS interfaces Contents of the Manual The following topics are covered in this manual e Interface Status e Interface Specfic Settings Interface Status Interface status can be shown using the interface print command for example admineMikroTik interface gt print Flags X disabled D dynamic R running NAME TYPE MTU O R ether2 ether 1500 1 R prismi prism 1500 admin MikroTik interface gt Here the arguments are status cannot be changed shows the interface status In order to use the interface its status must be Running name descriptive name of interface type
159. soon A TRE AE 80 Contents of the Mama A vagy dag eae es 80 Tnnsta lattes 353 NTE 80 Hardware Resource WU Sages ti a A a A a di 80 AS RN 80 POTES CUM diana tios 81 Bridge Monitorin cies oie ias 83 Bridge Fire wall acid ida idilio us 84 Additional Bridge Firewall ReSOurces cccececcessseceeceeeneeceecesaeceeaaeceeaeceeaeeceaeeesaeeeeaaeceaaeceeeeeeses 84 Trot bleshoouns oein ronis sE S EEES TEE E aa OE EEE Ea in Sida asada 84 CISCO Aironet 2 4GHz 11Mbps Wireless Interface oesooescoesocsssccsocssccssccesccssoesocesoossosssosssosesosssesssecesess 85 NA O A TLE aN 85 Contents of the Mina traia 85 Wireless Adapter Hardware and Software InstallatiQN ooonccnnnccinonicnocccnooncnnnononcnonancnnnnacnno conan connennns 85 Software PACKAGES wesc iscarticssastacccasedsivcesesadsuslstaetegsncesennecdsetabsscesbecaectelsiages saadectes suave bate cewtbes seal stata 85 ADA E O PT SE 86 NA uencaees seideusieadels eure aA EEA ENEA Ka EANA OESE 86 Installing the Wireless Adapter nisjes na inepe ai n i a a 87 Loading the Driver for the Wireless Adapter ooooonncccnnnccnnnccnnncncoonacnnnncnnnncnononononannn nc cnnnncnnnccnncnnnnos 87 Wireless Interface Cons UTA ii tn a EA ba ved AAA Arial to 87 Wireless Troubleshooting senere ae ainia canse tebe e eia E E a RE A O A E ARE EN E aTe 89 Wireless NetWork Applications peiin eors eE EEA E E N ea E E OTA a N Teei E 89 Point to Multipoint Wireless LAN ccccecccesscessneceeeeeeeeecee
160. specify a condition for if argument it is computed only once before doing anything else and if it is false nothing is done If it is true everything is executed as usual Note that do A while B is different from while B do A because do evaluates condition after executing command not before like while does it MikroTik RouterOS V2 6 Reference Manual 43 Scripting Manual However do A if B and if B do A do exactly the same thing e for It has one unnamed argument the name of loop variable from argument is the starting value for loop counter to value is the final value This commands counts loop variable up or down starting at from and ending with to inclusive and for each value it executes the do commands It 1s possible to change the increment from the default 1 or 1 by specifying step argument admin MikroTik gt for i from 100 to 1 step 37 do put i 1000 i 100 10 63 a5 26 38 fadmin MikroTik gt foreach The unnamed argument is the name of the loop variable in argument is treated as a list Each value of this list in sequence is assigned to loop variable and do commands are executed for this value If in value is not a list do commands are executed just once with this value in the loop variable If in value is empty do commands are not executed at all This is made to work good with find commands which return lists of internal numbers and may return empty list or
161. status overloaded output Only shown when the UPS report this status smart boost mode Only shown when the UPS report this status smart ssdd mode Only shown when the UPS report this status run time calibration running Only shown when the UPS report this status run time left the UPS s estimated remaining run time in minutes You can query the UPS when it is operating in the on line bypass or on battery modes of operation The UPS s remaining run time reply is based on available battery capacity and output load battery charge the UPS s remaining battery capacity as a percent of the fully charged condition battery voltage the UPS s present battery voltage The typical accuracy of this measurement is 5 of the maximum value depending on the UPS s nominal battery voltage line voltage the the in line utility power voltage output voltage the UPS s output voltage load the UPS s output load as a percentage of full rated load in Watts The typical accuracy of this measurement is 3 of the maximum of 105 frequency When operating on line the UPS s internal operating frequency is synchronized to the line within variations within 3 Hz of the nominal 50 or 60 Hz The typical accuracy of this measurement is 1 of the full scale value of 63 Hz Example When running on utility power admineMikroTik system ups gt monitor on line yes on battery no run time left 11m batte
162. the BIOS 2 Use the RLProg exe to set the IRQ and Base Port address of the RadioLAN ISA card Model 101 RLProg must not be run from a DOS window Use a separate computer or a bootable floppy to run the RLProg utility and set the hardware parameters The factory default values of I O 0x300 and IRQ 10 might conflict with other devices Please note that not all combinations of I O base addresses and IRQ s may work on your motherboard As it has been observed the IRQ 5 and I O 0x300 work in most cases For more information on installing PCMCIA cards check Notes on PCMCIA Adapters first Loading the Driver for the Wireless Adapter The ISA card requires the driver to be loaded by issuing the following command admineMikroTik gt driver add name radiolan io 0x300 admin MikroTik gt driver print Flags I invalid D dynamic DRIVER IRQ IO MEMORY ISDN PROTOCOL O D RealTek RTL8129 8139 1 ISA RadioLAN 0x300 fadmin MikroTik gt There can be several reasons for a failure to load the driver e The driver cannot be loaded because other device uses the requested IRQ Try to set different IRQ using the RadioLAN configuration utility e The requested I O base address cannot be used on your motherboard Try to change the I O base address using the RadioLAN configuration utility Wireless Interface Configuration If the driver has been loaded successfully no error messages and you have the required RadioLAN 5 8GHz Wire
163. the default gateway be the other router of the p2p link just add a static route for it It is shown as 0 in the example above Troubleshooting e I added IP addresses 10 0 0 1 24 and 10 0 0 2 24 to the interfaces etherl and ether2 but nothing works Both addresses are from the same network 10 0 0 0 24 use addresses from different networks on different interfaces or enable proxy arp on etherl or ether2 e I was going to use static ARP and have my network secured that way For the first 10 minutes everything is fine then router totally becomes unavailable After you turn off ARP on router s interface the dynamic ARP entries expire on the client computers You should add the router s IP and MAC addresses to the static ARP entries of the workstations O Copyright 1999 2002 MikroTik MikroTik RouterOS V2 6 Reference Manual 253 IP Pool Management Document revision 16 Dec 2002 This document applies to the MikroTik RouterOS v2 6 Overview IP pools are used to define range of IP addresses that is used for DHCP server and ppp Contents of the Manual The following topics are covered in this manual e Installation e Hardware Resource Usage e IP Pool Description e IP Pool Setup e RADIUS settings e Monitoring Used IP Addresses Installation The IP pool feature is included in the system package No installation is needed for this feature Hardware Resource Usage There is no significant resource usage
164. the following parameters The Service Set Identifier It should match the sid of the other card e The Distance should be set to that of the link For example if you have 6km link use distance 4 7km 6 6km All other parameters can be left as default admin MikroTik interface radiolan gt set 0 sid ba72 distance 4 7km 6 6km admin MikroTik interface radiolan gt print Flags X disabled R running O R name radiolan1 mtu 1500 mac address 00 A0 D4 20 4B E7 arp enabled MikroTik RouterOS V2 6 Reference Manual 194 RadioLAN 5 8GHz Wireless Interface card name 00A0D4204BE7 sid ba72 default destination first client default address 00 00 00 00 00 00 distance 4 7km 6 6km max retries 15 tx diversity disabled rx diversity disabled admin MikroTik interface radiolan gt monitor 0 default 00 A0 D4 20 3B 7F valid yes fadmin MikroTik interface radiolan gt You can monitor the list of neighbours having the same sid and being within the radio range admin MikroTik interface radiolan gt neighbor radiolanl print Flags A access point R registered U registered to us D our default destination NAME ADDRESS ACCESS POINT D 00A0D4203B7F 00 A0 D4 20 3B 7F admin MikroTik interface radiolan gt You can test the link by pinging the neighbour by its MAC address admin MikroTik interface radiolan gt ping 00 a0 d4 20 3b 7f radiolanl size 1500 count 50 sent successfully sent max
165. the system startup Note that it is recommended to use Atheros wireless cards in the systems with CPU speed higher than Celeron 600MHz or other equivalent Loading the Driver for the Wireless Adapter PCI miniPCI PC PCMCIA and CardBus cards do not require a manual driver loading since they are recognized automatically by the system and the driver is loaded at the system startup MikroTik RouterOS V2 6 Reference Manual 68 Atheros 5GHz 54Mbps Wireless Interface Wireless Interface Configuration If the driver has been loaded successfully and you have the required Wireless Software License same license is valid for 2 4GHz and 5GHz devices then the Atheros Wireless interface should appear under the interface list with the name atherosX where X is 1 2 You can change the interface name to a more descriptive one using the set command To enable the interface use the enable command admin MikroTik gt interface print Flags X disabled D dynamic R running AME TYPE MTU O R etherl ether 1500 1 X atherosl atheros 1500 admin MikroTik gt interface enable 1 admin MikroTik gt interface print Flags X disabled D dynamic R running AME TYPE MTU O R ether1 ether 1500 1 R atheros1 atheros 1500 admin MikroTik gt More configuration and statistics parameters can be found under the interface atheros menu admin MikroTik interface atheros gt print Flags X disabl
166. them CAUTION Using broadcast multicast and manycast modes is dangerous Intruder or simple user can set up his own NTP server If this new server will be chosen as time source for Your server it will be possible for this user to change time on Your server at his will TIMEZONE NTP changes local clock to UTC GMT time by default To specify different time zone time zone parameter under system clock has to be changed admin MikroTik gt system clock print MikroTik RouterOS V2 6 Reference Manual 378 time time zone admin MikroT Network Time Protocol NTP aug 12 2002 18 31 20 00 00 ik gt Time zone is specified as a difference between local time and GMT time For example if GMT time is 18 00 00 but correct local time is 19 00 00 then time zone has to be set to 1 hour admin Mikrol admin Mikrol Tik gt system clock set time zone 3 Tik gt system clock print time aug 12 2002 21 31 57 time zone 03 00 admin Mikrol Tik gt If local time is before GMT time time zone value will be negative For example if GMT is 18 00 00 but correct local time is 15 00 00 time zone has to be set to 3 hours admin Mikrol admin Mikrol ik gt system clock set time zon 3 Tik gt system clock print time aug 12 2002 15 32 20 time zone 03 00 admin Mikrol Tik gt Copyright 1999 2002 MikroTik MikroTik Route rOS V2 6 Reference Manual 379
167. time 40 time 28 4 packets received 28 32 5 40 ms 5 interval 40ms size 64 ms ms ms ms 20 packet loss If DNS service is configured it is possible to ping by DNS address To do it from Winbox you should resolve DNS address first pressing right mouse button over it address and choosing Lookup Address 95 95 OO 993 95 5 admin MikroTik 159 148 159 148 159 148 1 5 9 148 159 148 5 packets transmitted round trip min avg max admin MikroTik 64 64 64 64 64 gt ping www lv count 5 interval 100ms size 64 byte byte byte byte byte gt pong pong pong pong pong 5 packets received 33 51 6 73 ms tt1 247 tt1 247 tt1 247 tt1 247 tt1 247 time 71 time 48 time 33 time 33 time 73 ms ms ms ms ms 0 packet loss O Copyright 1999 2002 MikroTik MikroTik RouterOS V2 6 Reference Manual 411 Traceroute Document revision 19 Nov 2002 This document applies to MikroTik RouterOS v2 6 Overview Traceroute is a TCP IP protocol based utility which allows the user to determine how packets are being routed to a particular host Traceroute works by increasing the time to live value of packets and seeing how far they get until they reach the given destination thus a lengthening trail of hosts passed through is built up Topics covered in this manual e Installation e Hardware Resource Usage e Traceroute Description e Traceroute Example Installati
168. to 6 7km twisted pair wire connection max 2 3Mbps HomePNA Interfaces Linksys HomeLink PhoneLine Network Card Up to 10Mbps home network over telephone line O Copyright 1999 2002 MikroTik MikroTik RouterOS V2 6 Reference Manual 59 Device Driver Management Document revision 30 Sep 2002 This document applies to the MikroTik RouterOS V2 6 Overview Device drivers represent the software interface part of installed network devices For example the MikroTik RouterOS includes device drivers for NE2000 compatible Ethernet cards and other network devices Device drivers are included in the system software package and in the additional feature packages The device drivers for PCI and PC cards are loaded automatically Other network interface cards most ISA and ISDN PCI cards require the device drivers loaded manually by using the driver add command Users cannot add their own device drivers Only drivers included in the Mikrotik RouterOS software packages can be used If you need a device driver for a device which is not supported by the MikroTik RouterOS please suggest it at our suggestion page on our web site Contents of the Manual The following topics are covered in this manual e Loading Device Drivers e Removing Device Drivers e Notes on PCMCIA Adapters e List of Drivers ISA Drivers 4 PCI Drivers e Troubleshooting Loading Device Drivers The drivers for PCI and PCMCIA cards except the ISDN cards
169. to point link PPP PPPoE PPTP Make sure you include the remote address of the point to point link into the router ospf network record For example if you have admin MikroTik ip address gt print Flags X disabled I invalid D dynamic ADDRESS NETWORK BROADCAST INTERFACE 0 10 7 1 3 24 10 7 1 0 LOST L255 backbone 1 192 168 223 55 25 192 168 223 0 192 168 223 127 aironet 2D 10 2 0 7 32 10 20 08 0 0 0 0 pptp outl admin MikroTik ip address gt Use router ospf network add network 10 2 0 8 32 area backbone Additional Resources Recommended readings for guidelines on building OSPF networks http www ietf org rfc rfc2328 txt e OSPF Design Guide Cisco Systems e Designing Large Scale IP Internetworks Cisco Systems OSPF Application Examples Let us consider the following examples of OSPF protocol used for backup links e OSPF Backup without using Tunnel The example is for the situation when OSPF is running both on the main and the backup routers e OSPF Backup using Encrypted Tunnel through a Third Party The example is for situation when a third party link and routers are involved for backup and you do not have control over the involved routers OSPF Backup without using Tunnel This example shows how to use OSPF for backup purposes if you are controlling all the involved routers and you can run OSPF on them MikroTik RouterOS V2 6 Reference Manual 339 Open Shortest Path First OSPF
170. vlan gt add creates new item with specified property values arp copy from item number disabled interface mtu name vlan id admin MikroTik interface vlan gt admin MikroTik interface vlan gt Flags X disabled R running AME MTU 0 X test 1500 admin MikroTik interface vlan gt admin MikroTik interface vlan gt Flags X disabled R running AME MTU O R test 1500 admin MikroTik interface vlan gt Descriptions of settings add name test vlan id 1 in print ARP VLAN ID enabled T enable 0 print ARP VLAN ID enabled 1 name Interface name for reference mtu mtu Maximum Transmit Unit Should be set to 1500 bytes as on ethernet interfaces Note that this may not work with some ethernet cards that do not support receiving transmitting of full size ethernet packets with VLAN header added 1500 bytes data 4 bytes VLAN header 14 bytes ethernet header In this situation MTU 1496 can be used but note that this will cause packet fragmentation if larger packets have to be sent over interface At the same time remember that MTU 1496 may cause problems if path MTU discovery is not working properly between source and destination interface physical interface to the network where are VLANs arp Address Resolution Protocol one of the terface etherl INTERFACE etherl INTERFACE etherl disabled the interface will not use
171. voip for each of the devices you want to call or want to receive calls from i e the IP telephone 10 0 0 224 and the Welltech IP telephone 10 5 8 2 admin voip_gw ip telephony voice port voip gt add name joe remote address 10 0 0 224 admin voip_gw ip telephony voice port voip gt add name robert remote address 10 5 8 2 prefered codec G 723 1 6 3k hw admin voip_gw ip telephony voice port voip gt print Flags X disabled D dynamic R registered NAME AUTODIAL REMOTE ADDRESS JITTER BUFFER PREFERED CODEC SIL FAS 0 joe 10 0 0 224 100ms none no yes 1 robert 10 5 8 2 100ms G 723 1 6 3k hw no yes admin voip_gw ip telephony voice port voip gt 3 Add number records to the ip telephony numbers so you are able to make calls admin voip_gw ip telephony numbers gt add dst pattern 31 voice port robert prefix 31 admin voip_gw ip telephony numbers gt add dst pattern 33 voice port joe prefix 33 admin voip_gw ip telephony numbers gt add dst pattern 1 voice port linejackl prefix 1 admin voip_gw ip telephony numbers gt print Flags I invalid X disabled D dynamic R registered DST PATTERN VOICE PORT PREFIX 0 31 robert 31 1 33 joe 33 2 1 linejackl 1 admin voip_gw ip telephony numbers gt Making calls through the IP telephony gateway e To dial the IP telephone 10 0 0 224 from the office PBX line the extension number 19
172. when other queues are getting too long and a connection is not to be satisfied then the not bounded queues would be limited at their allocated bandwidth When the parent is allowed to send some amount of traffic it asks its inner queues in order of priority priorities are processed one after another from 1 to 8 where 1 means the highest priority When there are some queues with the same priority value they are asked in Weighted Round Robin WRR fashion In each WRR round the queue can send the amount of data equal to weight allot where allot is the amount of data sent in one turn and weight shows the number of allowed transmittings in one Weighted Round Robin round for example if there are two queues but weight for the second is two times higher then for the first then the second queue gets its data sent two times in a round while the first queue only one time That is why allot should be bigger than interface MTU MTU 14 works fine in most cases max burst parameter specifies the maximal number of packets that can burst when there are no packets in the queue In other words when current data rate is below the limit max burst packets may spillover before the actual limiting will be applied CBQ algorithm obviates the possibility of exceeding the allowed average data rate MikroTik RouterOS V2 6 Reference Manual 323 Queues and Bandwidth Management Configuring Simple Queues Simple queues can be used to set up bandwidth m
173. with the least total cost if available Note on types OSPF protocol supports two types of metrics e type 1 metrics are internal cheap metrics type 2 metrics are external expensive metrics Any type 2 metric is considered greater than the cost of any internal path Usually you want to redistribute connected and static routes if any Therefore change the settings for these arguments and proceed to the OSPF areas and networks OSPF Areas The area management can be accessed under the routing ospf area submenu There is one area that is configured by default the backbone area area ID 0 0 0 0 admin MikroTik routing ospf area gt print detail Flags X disabled O name backbone area id 0 0 0 0 stub area no default cost 0 authentication none admin MikroTik routing ospf area gt MikroTik RouterOS V2 6 Reference Manual 335 Open Shortest Path First OSPF Routing Protocol To define additional OSPF area s for the router use the routing ospf area add command admineMikroTik routing ospf area gt add area id 0 0 10 5 name local_10 admin MikroTik routing ospf area gt print Flags X disabled 0 name backbone area id 0 0 0 0 stub area no default cost 0 authentication none 1 name local_10 area id 0 0 10 5 stub area no default cost 0 authentication none admin MikroTik routing ospf area gt Argument description name area name Cannot be changed for the backbone ar
174. www mikrotik com To install the package please upload the correct version file to the router and reboot Use BINARY mode ftp transfer After successful installation the package should be listed under the installed software packages list License The Atheros chipset based adapters like 2 4GHz wireless adapters require the 2 4GHz wireless feature license One license is for one installation of the MikroTik RouterOS disregarding how many cards are installed in one PC box The wireless feature is not included in the Free Demo or Basic Software License The 2 4GHz Wireless Feature cannot be obtained for the Free Demo License It can be obtained only together with the Basic Software License Note The 2 4GHz Wireless Feature License enables only the station and the bridge modes of the Atheros card To enable the access point mode additionally the Wireless AP Feature License is required The MikroTik RouterOS supports as many Atheros chipset based cards as many free adapter slots has your system One license is valid for all cards on your system System Resource Usage Atheros chipsets are used in PCI miniPCVCardBus cards and thus support IRQ sharing Installing the Wireless Adapter The basic installation steps of the wireless adapter should be as follows 1 Check the system BIOS settings and make sure you have the PnP OS Installed set to Yes 2 The Atheros adapter should appear as Network Adapter in the list of by BIOS found devices during
175. yyyy zip archive file containing a bootable CD image The CD will be used for booting up the dedicated PC and installing the MikroTik RouterOS on its hard drive or flash drive e MikroTik Disk Maker if you want to create 3 5 installation floppies The Disk Maker is a self extracting archive DiskMaker_v2 6 x_dd mmm yyyy exe file which should be run on your Win95 98 NT4 2K XP workstation to create the installation floppies The installation floppies will be used for booting up the dedicated PC and installing the MikroTik RouterOS on its hard drive or flash drive e MikroTik Disk Maker in a set of smaller files if you have problems downloading one large file e Netinstall if you want to install RouterOS over a LAN with one floppy boot disk Note The installation from CD or network requires Full paid License If you intend to obtain the Free Demo License you should use the floppy installation media 2 Create the installation media Use the appropriate installation archive to create the Installation CD or floppies e For the CD write the ISO image onto a blank CD e For the floppies run the Disk Maker on your Windows workstation to create the installation floppies Follow the instructions and insert the floppies in your FDD as requested label them as Disk 1 2 3 etc MikroTik RouterOS V2 6 Reference Manual 4 Setting up MikroTik RouterOS 3 Install the MikroTik RouterOS software Your dedicated PC rout
176. 0 0 24 local_10 admin OSPF peer 2 gt Routing Tables After the three routers have been set up as described above and the links between them are operational the routing tables of the three routers should look as follows On the main OSPF router admin OSPF Main gt ip route print Flags X disabled I invalid D dynamic J rejected e connect S static R rip O ospf B bgp DST ADDRESS G GATEWAY DISTANCE INTERFACE 0 S 0 0 0 0 0 r 10 0 0 1 1 main_gw 1 DO 192 168 0 0 24 E 10 13 04 110 peerl 2 DC 10 2 0 0 24 r 0 0 0 0 0 peer2 3 DO 10 3 0 0 24 rado 2 0 1 110 peer2 r 10 1 0 1 peerl 4 DC 10 1 0 0 24 E 00 00 0 peerl 5 DC 10 0 0 0 24 r 0 0 0 0 0 main_gw admin OSPF Main gt On the Peer 1 MikroTik RouterOS V2 6 Reference Manual 342 Open Shortest Path First OSPF Routing Protocol admin OSPF peer 1 gt ip route print Flags X disabled I invalid D dynamic J rejected connect S static R rip O ospf B bgp DST ADDRESS G GATEWAY DISTANCE INTERFACE 0 DO 0 0 0 0 0 r 10 1 0 2 110 main_link 1 DC 192 168 0 0 24 r 0 0 0 0 0 local 2 DO 10 2 0 0 24 roe L042 110 main_link E LOBO backup 3 DC 10 3 0 0 24 r 0 0 0 0 0 backup 4 DC 10 1 0 0 24 r 0 0 0 0 0 main_link 5 DO 10 0 0 0 24 PLO 02 110 main_link admin OSPF peer 1 gt On the Peer 2 admin OSPF peer 2 gt ip route print Flags X disabled I invalid D dynamic
177. 00 time between pings time between these two ICMP echo requests in seconds New ICMP packet pair will never be sent before previous pair is completely sent and the algorithm will never send more than two requests in one second MikroTik RouterOS V2 6 Reference Manual 408 ICMP Bandwidth Test Bandwidth Test Example Correct showings admin MikroTik tool gt ping speed 10 0 0 202 first ping size 750 second ping size 760 current 4 32Mbps average 5 32Mbps fadmin MikroTik tool gt Incorrect showings admin MikroTik tool gt ping speed 10 0 0 202 first ping size 1000 current 2666 66Mbps average 764 46Mbps fadmin MikroTik tool gt Note that you should know approximate connection speed to a remote host and do not pay attention to overt erroneous showings and change ping size values until you get what you want to get Besides you should look only on average value as it is more informative Copyright 1999 2002 MikroTik MikroTik RouterOS V2 6 Reference Manual 409 Ping Document revision 19 Nov 2002 This document applies to MikroTik RouterOS v2 6 Overview Ping uses Internet Control Message Protocol ICMP Echo messages to determine if a remote host is active or inactive and to determine the round trip delay when communicating with it Topics covered in this manual e Installation e Hardware Resource Usage e Ping Description e Ping Examples Installation The Ping feature 1s include
178. 000ms The jitter buffer preserves quality of the voice signal against the loss or delay of packets while traveling over the network The larger the jitter buffer the larger the total delay but fewer packets lost due to timeout If the setting is jitter buffer 0 the size of it is adjusted automatically during the conversation to keep amount of lost packets under 1 silence detection if yes then silence is detected and no audio data is sent over the IP network during the silence period prefered codec the preferred codec to be used for this voip voice port If possible the specified codec will be used fast start allow or disallow the fast start The fast start allows establishing the audio connection in a shorter time However not all H 323 endpoints support this feature Therefore it should be turned off if there are problems to establish telephony connection using the fast start mode Numbers This is the so called routing table for voice calls This table assigns numbers to the voice ports admin MikroTik ip telephony numbers gt print Flags I invalid X disabled DST PATTERN VOICE PORT PREFIX 0 26 VoIP_GW 26 admin MikroTik ip telephony numbers gt Argument description dst pattern pattern of the telephone number Symbol designate any digit symbol _ only as the last one designate any symbols i e any number of characters can follow ended with character voice port voi
179. 1024 phl state established phl side initiator ph1 established n0v 19 2008 17 13 24 ph2 active 0 ph2 total 1 admin MikroTik ip ipsec peer gt Description of the printout ph1 state state of phase 1 negotiation with this peer established is the normal working state ph1 side who spoke first initiator means that phase 1 negotiation was started by this MikroTik RouterOS V2 6 Reference Manual 261 IPsec router responder by peer ph1 established when current phase 1 between router and peer was established ph2 active how many phase 2 negotiations with this peer are currently taking place ph2 total how many phase 2 negotiations with this peer took place Pre shared secret For IKE peers to know each other they must have same pre shared secret configuration It s kind of like passwords So if there are two routers 10 0 0 205 and 10 0 0 201 then on the first 10 0 0 205 it should look like this admin MikroTik ip ipsec pre shared secret gt print Flags X disabled ADDRESS SECRET 0 10 0 0 201 gwejimezyfopmekun admin MikroTik ip ipsec pre shared secret gt And on the second 10 0 0 201 like this admin MikroTik ip ipsec pre shared secret gt print Flags X disabled ADDRESS SECRET 0 10 0 0 205 gwejimezyfopmekun admin MikroTik ip ipsec pre shared secret gt Parameter description address address of remote peer ident string
180. 11Mbps 802 11b WLAN Card version Addtron AWP 100 Wireless PCMCIA Version 01 02 card D Link DWL 650 11Mbps 802 11b WLAN Card version D Link DWL 650 11Mbps WLAN Card Version 01 02 card SMC 2632W 11Mbps 802 11b WLAN Card version SMC SMC2632W Version 01 02 card BroMax Freeport 11Mbps 802 11b WLAN Card version Intersil PRISM 2_5 PCMCIA ADAPTER ISL37300P Eval RevA card Intersil PRISM2 Reference Design 11Mb s WLAN Card manfid 0x0156 0x0002 card Bromax OEM 11Mbps 802 11b WLAN Card Prism 2 5 manfid 0x0274 0x1612 card Bromax OEM 11Mbps 802 11b WLAN Card Prism 3 manfid 0x0274 0x1613 card corega K K Wireless LAN PCC 11 version corega K K Wireless LAN PCC 11 card corega K K Wireless LAN PCCA 11 version corega K K Wireless LAN PCCA 11 MikroTik RouterOS V2 6 Reference Manual 189 Prismll Wireless Client and Wireless Access Point Manual card CONTEC FLEXSCAN FX DDS110 PCC manfid 0xc001 0x0008 card PLANEX GeoWave GW NS110 version PLANEX GeoWave GW NS110 card Ambicom WL1100 11Mbps 802 11b WLAN Card version OEM PRISM2 IEEE 802 11 PC Card Version 01 02 card LeArtery SYNCBYAIR 11Mbps 802 11b WLAN Card version LeArtery SYNCBYAIR 11Mbps Wireless LAN PC Card Version 01 02 card Intermec MobileLAN 11Mbps 802 11b WLAN Card manfid 0x01ff 0x0008 card NETGEAR
181. 2 main 70 2 0 7 peer 70 7 0 2 ISP 2 cost 1 cost 50 PPTP Tunnel main_tink 10 1 0 1 fo peer 10 30 2 backup 10 3 0 7 OSPF peer 1 focal 192 168 0 1 LAN 192 168 0 0 24 Let us assume that the link between the routers OSPF Main and OSPF peer 1 is the main one When the main link goes down the backup link should go through the ISP 2 router Since we cannot control the ISP 2 router we cannot run OSPF on the backup router like in the previous example with OSPF peer 2 Therefore we have to create a tunnel between the routers OSPF Main and OSPF peer 1 that goes through MikroTik RouterOS V2 6 Reference Manual 346 Open Shortest Path First OSPF Routing Protocol the ISP 2 router Thus we will have two links between the routers and the traffic should switch over to the backup when the main link goes down For this 1 We create a PPTP tunnel between our two routers which goes over the ISP 2 router Please consult the PPTP Interface Manual on how to create PPTP tunnels 2 Only the OSPF Main router will have the default route configured Its interfaces peer and pptp in1 will be configured for the OSPF protocol The interface main_gw will not be used for distributing the OSPF routing information 3 The router OSPF peer 1 will distribute its connected and static route information and receive the default route from OSPF main using the OSPF protocol OSPF_Main Router Setup The PPTP s
182. 2 il 192 168 0 254 24 192 168 0 254 192 168 0 255 etherl 2 Lhe 32 Lode 255 255 255 255 wan admin MikroTik ip address gt ping 1 1 1 2 1 1 1 2 64 byte pong tt1l 255 time 31 ms 1 1 1 2 64 byte pong tt1l 255 time 26 ms 1 1 1 2 64 byte pong tt1l 255 time 26 ms 3 packets transmitted 3 packets received 0 packet loss round trip min avg max 26 27 6 31 ms admin MikroTik ip address gt Note that for the point to point link the network mask is set to 32 bits the argument network is set to the IP address of the other end and the broadcast address is set to 255 255 255 255 The default route should be set to the gateway router 1 1 1 2 admin MikroTik ip route gt add gateway 1 1 1 2 interface wan admin MikroTik ip route gt print Flags X disabled I invalid D dynamic J rejected Cc connect S static R rip O ospf B bgp DST ADDRESS G GATEWAY DISTANCE INTERFACE 0 S 0 0 0 0 0 Toi A dhe 1 wan 1 DC 10 0 0 0 24 r 10 0 0 254 0 ether2 MikroTik RouterOS V2 6 Reference Manual 136 MOXA C101 Synchronous Interface 2 DC 192 168 0 0 24 r 192 168 0 254 0 etherl IDE Ea 32 Dis lll 0 wan admin MikroTik ip route gt The configuration of the CISCO router at the other end part of the configuration is CISCO show running config Building configuration Current configuration interface Ethernet0 description connected to Ethernet LAN ip address 10 1 1 12 255 255 255 0
183. 2 none 2 ether3 none 3 wavelanl none admin MikroTik interface bridge port gt set 0 1 bridge bridgel admin MikroTik interface bridge port gt print Flags X disabled MikroTik RouterOS V2 6 Reference Manual 82 Bridge Interface INTERFACE BRIDGE 0 etherl bridgel 1 ether2 bridgel 2 ether3 none 3 wavelanl none admin MikroTik interface bridge port gt After setting some interface for bridging the bridge interface should be enabled in order to start using 1t admin MikroTik interface bridge gt print Flags X disabled R running 0 X name bridgel mtu 1500 arp enabled mac address 00 50 08 00 00 F5 forward protocols ip arp other priority 1 admin MikroTik interface bridge gt enable 0 admin MikroTik interface bridge gt print Flags X disabled R running O R name bridgel mtu 1500 arp enabled mac address 00 50 08 00 00 F5 forward protocols ip arp other priority 1 admineMikroTik interface bridge gt If you want to access the router through unnumbered bridged interfaces it is required to add an IP address to a bridge interface admin MikroTik ip address gt add address 192 168 0 254 24 interface bridgel admin MikroTik ip address gt add address 10 1 1 12 24 interface wavelanl admin MikroTik ip address gt print Flags X disabled I invalid D dynamic ADDRESS NETWORK BROADCAST INTERFACE 0 192 168 0 254 24 192 168 0 0 192 168 0 255 b
184. 24 of ours 8 0 24 0 65535 in interface all 0 0 0 0 65535 out interface all protocol all any tcp options any connection state any flow 00 00 00 00 00 00 limit count 0 limit burst 0 tion accept log no 77 Reject and log everything else src address 0 0 dst address 0 0 icmp options any src mac address limit time 0s ac 0 0 0 0 65535 in interface all 0 0 0 0 65535 out interface all protocol all any tcp options any connection state any flow 00 00 00 00 00 00 limit count 0 limit burst 0 tion reject log yes ip firewall rule input gt Thus the input chain will accept the allowed connections and reject and log everything else Protecting the Customer s Network To protect the customer s network we should match all packets with destination address 192 168 0 0 24 that are passing through the router This can be done in the forward chain We can match the packets against the IP addresses in the forward chain and then jump to another chain say customer We create the new chain and add rules to it admineMikroTik ip firewall gt add name customer admin MikroTik ip firewall gt print X NAME POLICY O input accept 1 forward accept 2 output accept 3 router none 4 customer none admin MikroTik ip firewall gt rule customer admin MikroTik ip firewall rule customer gt add protocol tcp tcp option non syn only connection state established comment Allow established TCP connections admin MikroTik ip
185. 4 and from the ISP router 0 0 0 0 0 and 192 168 3 0 24 Copyright 1999 2002 MikroTik MikroTik RouterOS V2 6 Reference Manual 359 Border Gateway Protocol BGP Routing Protocol Draft Document revision 5 Sep 2002 This document applies to the MikroTik RouterOS 2 6 Overview The Border Gateway Protocol BGP is an Exterior Gateway Protocol EGP It allows setting up an interdomain routing system that automatically guarantees the loop free exchange of routing information between autonomous systems MikroTik RouterOS supports BGP Version 4 as defined in RFC1771 The MikroTik RouterOS implementation of the BGP has the following features e Filtering using prefix lists Contents of the Manual The following topics are covered in this manual e Installation e Hardware Resource Usage e BGP Description e BGP Setup 4 Setting the Basic BGP Configuration BGP Network BGP Peers e Troubleshooting e Additional Resources e BGP Application Examples Installation The BGP feature is included in the bgp package The package file bgp 2 6 y npk can be downloaded from MikroTik s web page www mikrotik com To install the package please upload it to the router with ftp and reboot You may check to see if the routing package is installed with the command admin MikroTik gt system package print Flags I invalid NAME VERSION BUILD TIME UNINSTALL 0 system 2 6betal aug 09 2002 20 22 14 no
186. 440 signal 26 terface atherosl mac address 00 50 08 00 01 33 type local terface atherosl mac address 00 01 24 70 03 58 type radio tx rate 6Mbps rate 48Mbps packets 18 49 bytes 1764 4159 uptime 00 01 35 770 signal 46 admin MikroTik_AP interface atheros gt Additional argument description only for wireless clients packets number of received and sent packets bytes number of received and sent bytes signal signal strength rx rate receive data rate tx rate transmit data rate uptime time the client is associated with the access point Access List The access list is used to restrict authentications associations of clients This list contains MAC address of client and associated action to take when client attempts to connect Also the forwarding of frames sent by the client is controlled The association procedure is the following when a new client wants to associate to the AP that is configured on interface atherosX entry with client s MAC address and interface atherosX is looked up in the access list If such entry is found action specified in it is taken Otherwise default authentication and MikroTik RouterOS V2 6 Reference Manual 72 Atheros 5GHz 54Mbps Wireless Interface default forwarding of interface atherosX is taken To add an access list entry use the add command for example admineMikroTik interface atheros access list gt add mac address 00 06 AB 00 37 72 inte
187. 55 Wan admin MikroTik ip address gt ping 1 1 1 2 1 1 1 2 64 byte pong tt1 255 time 31 ms 1 1 1 2 64 byte pong tt1l 255 time 26 ms 1 1 1 2 64 byte pong tt1l 255 time 26 ms 3 packets transmitted 3 packets received 0 packet loss round trip min avg max 26 27 6 31 ms admin MikroTik ip address gt Note that for the point to point link the network mask is set to 32 bits the argument network is set to the IP address of the other end and the broadcast address is set to 255 255 255 255 The default route should be set to the gateway router 1 1 1 2 MikroTik RouterOS V2 6 Reference Manual 134 MOXA C101 Synchronous Interface admin MikroTik ip route gt add gateway 1 1 1 2 interface wan admin MikroTik ip route gt print Flags X disabled I invalid D dynamic J rejected connect S static R rip O ospf B bgp DST ADDRESS G GATEWAY DISTANCE INTERFACE 0 S 0 0 0 0 0 Polla Liz 1 wan 1 DC 10 0 0 0 24 r 10 0 0 254 1 ether2 2 DC 192 168 0 0 24 r 192 168 0 254 0 etherl 3 DCL 2 32 r 0 0 0 0 0 wan admin MikroTik ip route gt The configuration of the Mikrotik router at the other end is similar admin MikroTik ip address gt add address 1 1 1 2 32 interface moxa network 1 1 1 1 broadcast 255 255 255 255 admin MikroTik ip address gt print Flags X disabled I invalid D dynamic ADDRESS NETWORK BROADCAST INTERFACE 0 10 1 1 12 24
188. 580 0 0 0 0 0 0 65535 admin MikroTik ip firewall mangle gt move 0 admin MikroTik ip firewall mangle gt print brief Flags X disabled I invalid D dynamic SRC ADDRESS DST ADDRESS 0 Col 11 3280 0 0 0 0 0 0 65535 1 2 2 2 2 32 80 0 0 0 0 0 0 65535 2 353 6353 32780 0 0 0 0 0 0 65535 3 0 0 0 0 0 80 0 0 0 0 0 0 65535 admin MikroTik ip firewall mangle gt move 0 2 admin MikroTik ip firewall mangle gt print brief Flags X disabled I invalid D dynamic SRC ADDRESS DST ADDRESS 0 24232 2 32580 0 000703 0 6953 5 1 3 6 303 3 3 25580 0 0 0 0 0 0 65535 2 Edd 132780 0 0 0 0 0 0 65535 3 0 0 0 0 0 80 0 0 0 0 0 0 65535 admineMikroTik ip firewall mangle gt move 3 2 0 0 admin MikroTik ip firewall mangle gt print brief Flags X disabled I invalid D dynamic SRC ADDRESS DST ADDRESS 0 0 0 0 0 0 80 0 0 0 0 0 0 65535 1 1 1 1 1 32 80 0 0 0 0 0 0 65535 2 2 2 2 2 32 80 0 0 0 0 0 0 65535 3 3 3 3 3 32 80 00 0 07030 69535 admin MikroTik ip firewall mangle gt find The find command has the same arguments as set and an additional from argument which works like the from argument with the print command Plus find command has flag arguments like disabled invalid that take values yes or no depending on the value of respective flag To see all flags and their names look at the top of print command s output The find command returns internal numbers of all items that have the same values of argu
189. 8 15 08 22 1h admin MikroTik system scheduler gt k admin MikroTik system scheduler gt add name run 1h interval 1h script log test k Argument description name name of the task start time and start date time and date of first execution interval interval between two script executions if time interval is set to zero the script 1s only executed at it s start time otherwise it is executed repeatedly at the time interval specified MikroTik RouterOS V2 6 Reference Manual 390 System Scheduler Manual run count to monitor script usage this counter is incremented each time the script is executed it can be reset to zero Note that rebooting the router will reset this counter script name of the script The script must be present at system script System Scheduler Examples Here are two scripts that will change the bandwidth setting of a queue rule Cust0 Everyday at 9AM the queue will be set to 64Kb s and at 5PM the queue will be set to 128Kb s The queue rule the scripts and the scheduler tasks are below admin MikroTik queue simple gt add name Cust0 interface etherl dst address 192 168 0 0 24 limit at 64000 admin MikroTik queue simple gt print Flags X disabled I invalid 0 name Cust0 src address 0 0 0 0 0 dst address 192 168 0 0 24 interface etherl limit at 64000 queue default priority 8 bounded yes admin MikroTik queue simple gt system
190. 99 2995 209 40 192 168 0 254 192 168 0 255 etherl admin MikroTik ip address gt ip route add gateway 10 0 0 2 admin MikroTik gt ip route print Flags X disabled I invalid D dynamic J rejected E connect S static R rip O ospf B bgp DST ADDRESS G GATEWAY DISTANCE INTERFACE 0 Ss 0 0 0 0 0 ALO 002 1 wavelanl 1 De 10 0 0 0 30 r 0 0050 0 wavelanl 2 DC 192 168 0 0 24 r 0 0 0 0 0 etherl admin MikroTik ip address gt The second router will have address 10 0 0 2 the default route to 10 1 1 254 and a static route for network 192 168 0 0 24 to 10 0 0 1 admin wnet_gw ip address gt add address 10 0 0 2 30 interface wll admin wnet_gw ip address gt add address 10 1 1 12 24 interface Public admin wnet_gw ip address gt print ADDRESS NETMASK NETWORK BROADCAST INTERFACE 0 10 0 0 2 ZII ae LO 05052 10 0 0 3 wll 10 31 1642 295 29 9 LO 103s Wie Les 102 die LaZ2oo Public admin wnet_gw ip address gt ip route admin wnet_gw ip route gt add gateway 10 1 1 254 interface Public admin wnet_gw ip route gt add gateway 10 0 0 1 interface wll dst address 192 168 0 0 24 admin MikroTik gt ip route print Flags X disabled I invalid D dynamic J rejected C connect S static R rip O ospf B bgp DST ADDRESS G GATEWAY DISTANCE INTERFACE MikroTik RouterOS V2 6 Reference Manual 208 WaveLAN ORiINO
191. A 138 SoftWare LICENSE a a E E R T s ae i 139 System Resource Usage noe ales sieeve E vies das A o e EA TEET ETE daba cometeveee bee seh 139 Installing the Synchronous Adapter ccc cecccecsccessseceeeceeeeeecsecesaeceeaaeceeeeceeeecsaeeeaecseaaeceaeeeeeeeees 139 Loading the Driver for the MOXA C502 Synchronous Adaptet ooooonncccnocccnonncoonncnonncnonocinnncnnnnoss 139 Synchronous Interface Configuration ceecceecceesecessecesceseeeeceeeesaeceeaeceeaeceeeeecaeesaeceeaaeceaeeeeteeees 139 Troubleshootun tai IAN a a ieee 141 Synchronous Link Applications ccecceecsccescecesecesseceesaeceeaceseaeeceaeeesaeceeaaecseaeceeeeecaeeeaeceeaaeceaeeseeeeees 141 MikroTik Router to MikroTik RQUtOL cococcccnnncncnnnnononanananananananannn nono nononononnn nono no non no nono nononocanonononos 141 MikroTik Router to CISCO Routeri eissis anno no nono nononcn conoce no nnn nono nono rasat iess 143 General Point to Point Settings csccccescsssenssossssssnsssonseesscssnsessonssesscdsenscssesessenessend cssaceccesssenssenseessonsesseseseenssoss 146 A A TR 146 Contents of the Maia A ia gen 146 Install A an 146 Hardware Resource W Sage iii td iaa DAD dei dd 147 Local Authentication OVer Vie W oococoocoooooooooooononononononoconnnononnnnnnonononononononononanonanananananana nana na a e rra nananan 147 Local Authentication Management of P2P US TS ooooccccocccnonccoonnnononannnnccnnoconnnccnnnnconnc cono nccnnnccnnn conan 147 PPP Prol e PE EEO eT et dd
192. A A wh TEM ae dOT sehen dees 175 Wireless ACCESS DOM otto cutest uote se sacesce sates EIA dee oe Oe hse 175 Wireless Bridges arinen iara n e EE E A ons tialen ici cir 175 AS EE EA E E E E E EEE EE E EET E E ESS 175 LICENSE italia iaa EA AEE 175 System Resource Usage ooo rn iaa AA ia Aia reads dar s 176 Installing the Wireless Adapter ccccceccccssccesseceeseeceeeeeeeeeecsaecesaeceeaaeceeeeceeeecaeeesaeceeaaeceaeeeeeeeees 176 Loading the Driver for the Wireless AdapteL oooocconcccnonccnonnconoccnoncccnnoconnnononno conan oran conan ccnnncnnnnnss 176 Wireless MERA errie neee neei en eene E E EE a E aae Eaa 177 Station Mode Confijuraton iinei reii e ae E E R e E EEEE EEE T E E 178 Monitoring the Interface Status ee ceccecesecessecsesseceeeeeeeeeecaeceaeceeaaeceeeeceeeeeesaeeeaaeceeaaeceaeeeeeeeess 179 Access Point Mode Configuration seses ienei erine E eE EEEE ER EEE E A EE T n Eaa 179 Registration Table ninia 180 ILLAR B EEE ia A PO ti E Eos da a e Ea 181 Registering the Access Point to another Access POlMt oooonooconocicnococonoconnnncnnncnononanonccnnnnccnnnccnnnnn n 181 NetWork SCA a caida 182 Logging Of Prism NterfaCE tit A ab de ts a onda cae 182 A RA ARO 183 Wireless Network Applications INS 183 A E E E i AEE EEEE EEEE E E E E E E S E A E EE 183 War less Access Politicos aaeeea EEE AEE E Eana a EE E E EE EER 184 Wireless Bridge trotar 187 MT patent Configuration ee istenei eei eE DEKE ENTERED EAN eSEE EE EAEI EEE SEE ia
193. ADDRESS DST ADDRESS INTERFACE ACTION TABLE 0 0 0 0 0 0 0 0 0 0 0 all lookup main 1 llo 1 32 0 0 0 0 0 all lookup main 2 2 2 2 1 32 0 0 0 0 0 all lookup main 3 1 1 1 0 24 0 0 0 0 0 all lookup from_netl 4 2 2 2 0 24 0 0 0 0 0 all lookup from_net2 admin MikroTik ip policy routing rule gt move 0 4 admin MikroTik ip policy routing rule gt print Flags X disabled I invalid SRC ADDRESS DST ADDRESS INTERFACE ACTION TABLE 0 1 121 1 32 0 0 0 0 0 all lookup main 1 DAL 0 0 0 0 0 all lookup main 2 T TIT 0 124 0 0 0 0 0 all lookup from net1 3 2 2 2 0 24 0 0 0 0 0 all lookup from_net2 4 0 0 0 0 0 0 0 0 0 0 all Lookup main admin MikroTik ip policy routing rule gt Here the rules 0 and 1 are needed to process correctly connections from the local networks to the local addresses of the router Namely the connected routes from the main table should be used instead of using the default routes from table from_net1 or from_net2 Rules 2 and 3 will handle packets with destination other than locally connected networks Additional Resources Recommended readings for guidelines on routing issues e http www ietf org rfc rfc2328 txt Copyright 1999 2002 MikroTik MikroTik RouterOS V2 6 Reference Manual 312 Services Protocols and Ports Document revision 23 Oct 2002 This document applies to the MikroTik RouterOS V2 6 Overview This document lists protocols and ports used by various Mi
194. ADDRESS NETWORK BROADCAST INTERFACE 0 10 1 1 12 24 LO 4 61 12 Td LL 299 Public Le Lal 2 32 beleket 255 255 255 255 moxa admin MikroTik ip address gt ping 1 1 1 1 1 1 1 1 64 byte pong tt1 255 time 31 ms 1 1 1 1 64 byte pong tt1l 255 time 26 ms 1 1 1 1 64 byte pong tt1l 255 time 26 ms 3 packets transmitted 3 packets received 0 packet loss round trip min avg max 26 27 6 31 ms admin MikroTik ip address gt MikroTik Router to CISCO Router Let us consider the following network setup with MikroTik Router connected to a leased line with baseband modems and a CISCO router at the other end Internet interface EthernetO address 10 1 1 12 24 interface Serial0 address 1 1 1 2 32 v 35 interface wan MikroTik address 1 1 1 1 32 interface ether2 address 10 0 0 254 24 interface ether 1 address 192 168 0 254 24 LAN 192 168 0 0 24 LAN 10 0 0 0 24 MikroTik RouterOS V2 6 Reference Manual 143 MOXA C502 Synchronous Interface The driver for MOXA C502 card should be loaded and the interface should be enabled according to the instructions given above The IP addresses assigned to the synchronous interface should be as follows admin MikroTik ip address gt add address 1 1 1 1 32 interface wan network 1 1 1 2 broadcast 255 255 255 255 admin MikroTik ip address gt print Flags X disabled I invalid D dynamic ADDRESS NETWORK BROADCAST INTERFA
195. ARP protocol enabled the interface will use ARP protocol proxy arp the interface will be an ARP proxy see corresponding manual 4 reply only the interface will only reply to the requests originated to its own IP addresses but neighbour MAC addresses will be gathered from ip arp statically set table only vlan id Virtual LAN identificator or tag that is used to distinguish VLANs Must be equal for all computers in one VLAN Use ip address add command to assign an IP address to the VLAN interface The bandwidth usage of the interface may be monitored with the monitor traffic feature from the interface menu MikroTik RouterOS V2 6 Reference Manual 198 Virtual LAN VLAN Interface VLAN Application Example Lets assume that we have two or more MikroTik RouterOS routers connected with a hub Interfaces to the physical network where VLAN is to be created is ether1 for all of them it is needed only for example simplification it is NOT a must To connect computers through VLAN they must be connected physically and unique IP addresses should be assigned them so that they could ping each other Then on each of them the VLAN interface should be created admineMikroTik interface vlan gt add name test vlan id 32 interface etherl admin MikroTik interface vlan gt print Flags X disabled R running NAME MTU ARP VLAN ID INTERFACE O R test 1500 enabled 32 etherl admin Mik
196. AY DISTANCE INTERFACE 0 S 0 0 0 0 0 r 10 0 0 1 1 bridgel 1 DC 10 0 0 0 24 00050 0 bridgel admin MT_Prism_AP ip address gt MikroTik RouterOS V2 6 Reference Manual 186 Prismll Wireless Client and Wireless Access Point Manual The client router requires the System Service Identificator set to mt The IP addresses assigned to the interfaces should be from networks 10 0 0 0 24 and 192 168 0 0 24 admin mikrotik ip address gt print Flags X disabled I invalid D dynamic ADDRESS NETWORK BROADCAST INTERFACE 0 10 0 0 217 24 1 0 0 0 0 10 0 0 255 aironet 1 192 168 0 254 24 192 168 0 0 192 168 00 299 Local admin mikrotik ip address gt The default route should be set to gateway 10 0 0 1 for the router mikrotik admin mikrotik ip route gt add gateway 10 0 0 254 admin mikrotik ip route gt print Flags X disabled I invalid D dynamic J rejected Q connect S static R rip O ospf B bgp DST ADDRESS G GATEWAY DISTANCE INTERFACE 0 Ss 0 0 0 0 0 Ly 10 0041 1 aironet 1 DC 10 0 0 0 24 r 0 0 0 0 0 aironet 2 DC 192 168 0 254 24 r 0 0 0 0 0 Local admin mikrotik ip route gt Wireless Bridge To set up a wireless bridge between two networks you need to have a wireless 2 4G Hz or AP license Configure one MikroTik RouterOS Prism AP to register to another MikroTik RouterOS Prism AP for point to point operation The basic setup is as follo
197. Aironet 2 4GHz 11Mbps Wireless Interface e A unique Service Set Identificator should be chosen for both ends say b_link e A channel frequency should be selected for the link say 2412MHz e The operation mode should be set to ad hoc e One of the units slave should have wireless interface argument join net set to Os never create a network the other unit master should be set to 1s or whatever say 10s This will enable the master unit to create a network and register the slave unit to it The following command should be issued to change the settings for the pc interface of the master unit admineMikroTik bitrate auto admineMikroTik interface pc gt set 0 mode ad hoc ssidl b_link frequency 2442MHz interface pc gt For 10 seconds this is set by the argument join net the wireless card is looking for a network to join The status of the card is not synchronized and the green status light is blinking fast If the card cannot find a network the card creates its own network The status of the card becomes synchronized and the green status led becomes solid The monitor command shows the new status and the MAC address generated admin MikroTik interface pc gt mo 0 synchronized yes associated yes frequency 2442MHz data rate 11Mbit s ssid b_link access point access point name 2E 00 B8 01 98 01 wu signal quality 35 signal strength 62 error number 0 fadmin MikroTik interface
198. BGP Application Examples Not complete yet Copyright 1999 2002 MikroTik MikroTik RouterOS V2 6 Reference Manual 363 Export and Import Document revision 16 Sep 2002 This document applies to MikroTik RouterOS v2 6 The configuration export can be used for dumping out MikroTik RouterOS configuration to the console screen or to a text script file which can be downloaded from the router using ftp The configuration import can be used to import the router configuration script from a text file Note that it is impossible to import the hole router configuration using this feature It can only be used to import a part of configuration for example firewall rules in order to spare you some typing For backing up configuration to a binary file and restoring it without alterations please refer to the configuration backup and restore section of the MikroTik RouterOS Manual Topics covered in this manual e Installation e Hardware Resource Usage e Export and Import Description e Export and Import Examples Installation The Export and Import features are included in the system package No installation is needed for this feature Hardware Resource Usage There is no significant resource usage Export and Import Description The export command prints a script that can be used to restore configuration The command can be invoked at any menu level and it acts for that menu level and all menu levels below it If the argument
199. CE 0 10 0 0 254 24 10 0 0 254 TO 000209 ether2 1 192 168 0 254 24 192 168 0 254 192 168 0 255 etherl 2 Led 1 32 p Ep aa E 255 255 255 255 wan admin MikroTik ip address gt ping 1 1 1 2 1 1 1 2 64 byte pong tt1 255 time 31 ms 1 1 1 2 64 byte pong tt1l 255 time 26 ms 1 1 1 2 64 byte pong tt1l 255 time 26 ms 3 packets transmitted 3 packets received 0 packet loss round trip min avg max 26 27 6 31 ms admin MikroTik ip address gt Note that for the point to point link the network mask is set to 32 bits the argument network is set to the IP address of the other end and the broadcast address is set to 255 255 255 255 The default route should be set to the gateway router 1 1 1 2 admin MikroTik ip route gt add gateway 1 1 1 2 interface wan admin MikroTik ip route gt print Flags X disabled I invalid D dynamic J rejected E connect S static R rip O ospf B bgp DST ADDRESS G GATEWAY DISTANCE INTERFACE 0 S 0 0 0 0 0 Ped ede 2 1 wan 1 DC 10 0 0 0 24 r 10 0 0 254 0 ether2 2 DC 192 168 0 0 24 r 192 168 0 254 0 etherl 3 Del lel 2 32 r 1 1311 0 wan admin MikroTik ip route gt The configuration of the CISCO router at the other end part of the configuration is CISCO show running config Building configuration Current configuration 1 interface Ethernet0 description connected to EthernetLAN ip address 10 1 1 12 255 255 255 0 I in
200. CHLDC keepalive interval in seconds MikroTik RouterOS V2 6 Reference Manual 114 FrameRelay PVC Interfaces e ignore dcd Ignore DCD yes no Frame Relay PVC interface To add a PVC interface use the interface pve add command For example for a Cyclades interface and DLCI equal to 42 we should use the command admin MikroTik interface pvc gt add dlci 42 interface cycladesl admin MikroTik interface pvc gt print Flags X disabled R running NAME MTU DLCI INTERFACE 0 pvcl 1500 42 cycladesl admin MikroTik interface pvc gt Argument description e name Assigned name of the interface e mtu Maximum Transfer Unit of an interface e dlci Data Link Connection Identifier assigned to the PVC interface e interface FrameRelay interface Frame Relay Configuration Example with Cyclades Interface Let us consider the following network setup with MikroTik Router with Cyclades PC300 interface connected to a leased line with baseband modems and a CISCO router at the other end admin MikroTik ip address gt add interface pvcl address 1 1 1 1 netmask 255 255 255 0 admin MikroTik ip address gt print Flags X disabled I invalid D dynamic ADDRESS NETWORK BROADCAST INTERFACE 0 Lat Lee 24 bed 0 1 1 1 200 pvcl admin MikroTik ip address gt PVC and Cyclades interface configuration Cyclades admin MikroTik interface cyclades gt print Flags X di
201. CO taestesassscclasecsesiesovssiesevsuataccsuatesascalesdscslasevclsevsveeateveoeeetes 121 OVER IA A OEE Raha 121 ISDN Hardware and Software InstallatiOD cococccccccccnnncnononocinononanininonononinananananananana nana na cnn nana nonan 121 Loading the ISDN D VELER a SAE e EE E E E 122 INEA a AN 122 MSN and EAZ AO EAA ci isioid 123 ISDN Client Interface Configuration ccc ecccecsscesseceececeececeeeeeeaeeesaeceeaeeceaeeceeeeseeeeaaeceeaeeneneeeeaees 123 ISDN Server Interface Configuration nhir ae etnei aeee ea EEEa aE EEE E EE E EEE e 123 Troublesh otn Seino a A e a a a a E a E a AN a a a aE EE Aa EA AA EUEN 124 ISDN Examples ii a N oE ee E DE DEAE ENEA a EE aad eae 124 ISDN DIET E E E E EES E a EE ETER 124 MikroTik RouterOS V2 6 Reference Manual v MikroTik RouterOS V2 6 Reference Manual Table of Contents ISDN Interface ISBN Dial a da del Se As ET Res ee O ee 125 ISDN Backtpiss siti ea nhe ace a ead ea ae 126 ISDN Backup DESCTIPUON e een oa A A EE OR anil an ieee 126 setting Up ISDN Connect iii A a adidas 127 SING p Sta ROS aint ALAN AA cada a debate A olsen ceva 127 Adding Scripts RN 128 Setting up NeEtwatChe ninoi nan A 128 MOXA C101 Synchronous Interface sss iisiecccissscccsessicvsssesscatessenvsseoocescessustessonsdsbsetssndsonevenves soscsssencsanesessesees 129 DAAE MA TAE AA EE EEE BIE OOOO RR aa 129 Contents ofthe Mantials io A la LA RA 129 Synchronous Adapter Hardware and Software InstallatiQN o
202. CO 2 4GHz 11Mbps Wireless Interface 0 0 0 0 0 0 r 10 1 1 254 1 Public 1 192 168 0 0 24 r 10 0 0 1 ll wll 2 10 0 0 0 30 r 0 0 0 0 0 wll 3 10 1 1 0 24 r 0 0 0 0 0 Public admin wnet_gw ip route gt Testing the Network Connectivity The network connectivity can be tested by using ping admin MikroTik gt ping 10 0 0 2 10 0 0 2 pong ttl 255 time 2 ms 10 0 0 2 pong ttl 255 time 2 ms 10 0 0 2 pong tt1 255 time 2 ms 3 packets transmitted 3 packets received 0 packet loss round trip min avg max 2 2 0 2 ms admin MikroTik gt Point to Point Wireless LAN with Windows Client Let us consider the following point to point wireless network setup with one MikroTik Wireless Router and a laptop computer with Wavelan card xDSL Modem Internet Senn eee eo ey Wireless Router Internet interface Public La home gw Gatewa address 10 1 1 12 24 10 1 1 254 ee ae cs e e a e e a cs Cn a is o o interface wl home on 7 ssid1 home_link i gt 2 4GHz mode ad hoc E 11Mbps address 192 168 0 254 24 A Local Wireless Network 192 168 0 0 24 se Laptop Workstation 192 168 0 1 192 168 0 240 from DHCP server It is very important that the MikroTik Router is configured prior turning on and configuring the wireless client The MikroTik router should be up and running so the client could join its network The configuration of the wireless interface of the MikroTik Router should be as follows e A
203. CREA 147 PPP Secreta erscetststectacs tices ticaces oalebesbasebugasssacgeslacacstbodduvonvsiewoabancaceacacstecacagensscacesuacsaes satebomaseeacuescenes 148 NA Gc Orn PRS ARIS A OP BET RET Te ter BE Ont POOR RST RI SIE SEE SER R CE 148 Local Accounting of PPP Users E E 149 Authentication using RADIUS Servet eee eeccecsscesseceeseceeeeceeeeeeaeeeaaeceeaeeceaceceeeeeaeeeeaaeceeaeeeeneeeeaees 149 MikroTik RouterOS V2 6 Reference Manual vi MikroTik RouterOS V2 6 Reference Manual Table of Contents General Point to Point Settings RADIOS OVerviG WS At a A dadas o daci n 149 RADIUS Client Seis A a aati ea ae 149 RADIUS Client Monta is 150 RADIUS Parameters ti a a la e 150 Authentication data sent to server Access Request cccooconnonnnnoccnnoccconoconancnnonacnnncocanaccnncnnnnos 150 Data received from server Access ACCODt hoccocccnooconooccnoncnonancnnnncnnnncnnnncononoconnacnnn cc cnnnccnncnnnnos 151 Accounting information sent to server Accounting Requesth occonoconnncccnocncnonacinnnonanccnancnonnos 151 RADIUS Servers SUSoesteod reir isla tdrls tii 152 PPPoE Bandwidth Setinin a a cose yaseesahesusdeuse vedades ovdacedasesatesuecs edteastaaasuacs 152 PPP Troubleshooting ccoo ete eee ia aah ata oa Game aa hae 152 RADIUS Server Configuration Example eccccccessecsesceeececeeeceeseceesaecsececeeneeseeeeeaeeseaaeceaaeceeneeesas 152 Point to Point Protocol PPP and Asynchronous InterfaceS omommsssossss 155 CON ET
204. DHCP client Physical network connection has to be established between the HotSpot user s computer and the gateway It can be wireless the wireless card should register to AP or wired the NIC card should be connected to HUB The Initial Contact MikroTik HotSpot Gateway s DHCP server assigns IP addresses from the temporary address pool with a very short lease time approx 10s so the address can be changed after authentication If user tries to access network resources using web browser the destination NAT rule redirects all TCP connection requests to HotSpot servlet port 8080 by default This brings up the HotSpot Welcome Login page It may be useful to have port 80 for HotSpot servlet because the users might want to see status and log out If this is impossible you may redirect requests to a virtual IP address to the servlet Note that you may want to have DNS traffic enabled or redirected to the router s DNS cache so that the client could be logged in connecting any valid web page using it s DNS name Enabling ICMP ping might be useful as well since it shows network connectivity Other traffic should be dropped The Servlet If user is not logged in login page will be shown where username and password has to be entered but if user is logged in status page will be shown status username IP address session time bytes and packets transferred There are 6 HTML pages that can be easily modified by creating HTML
205. DIAL 0 linejackl linejack 1 gw voip 2 robert voip admin Joe ip telephony voice port gt MikroTik RouterOS V2 6 Reference Manual 292 IP Telephony 2 Add a at least one unique number to the ip telephony numbers for each voice port This number will be used to call that port admin Joe ip telephony numbers gt add dst pattern 31 voice port robert admin Joe ip telephony numbers gt add dst pattern 33 voice port linejackl admin Joe ip telephony numbers gt add dst pattern 1 voice port gw prefix 1 admin Joe ip telephony numbers gt print Flags I invalid X disabled D dynamic R registered DST PATTERN VOICE PORT PREFIX 0 31 robert 1 33 linejackl 2 La gw 1 admin Joe ip telephony numbers gt Here the dst pattern 31 is to call the Welltech IP Telephone if the number 31 is dialed on the dialpad The dst pattern 33 is to ring the local telephone if a call for number 33 is received over the network Anything starting with digit 1 would be sent over to the IP Telephony gateway Making calls from the IP telephone 10 0 0 224 e To call the IP telephone 10 5 8 2 it is enough to lift the handset and dial the number 31 e To call the PBX extension 13 it is enough to lift the handset and dial the number 13 After establishing the connection with 13 the voice port monitor shows admin Joe ip telephony voice port linejack gt monitor linejack status connection p
206. DP features e works on IP level connections e works on all non dynamic interfaces e distributes basic information on the software version e distributes information on configured features that should interoperate with other MikroTik routers Contents of the Manual The following topics are covered in this manual e Installation e Hardware Resource Usage e MikroTik Discovery Protocol Description e MikroTik Discovery Protocol Setup Installation The MikroTik Discovery Protocol feature is included in the system package No installation is needed for this feature Hardware Resource Usage There is no significant resource usage MikroTik Discovery Protocol Description MNDP basic function is to assist with automatic configuration of features that are only available between two MikroTik routers Currently this is used for the Packet Packer feature The Packet Packer may be enabled on a per interface basis The MNDP protocol will then keep information about what routers have enabled the unpack feature and the Packet Packer will be used for traffic between these routers The MikroTik routers must be connected by an Ethernet like interface Specific Properties e works on interfaces that support IP protocol and have least one IP address e is enabled by default for all new Ethernet like interfaces Ethernet radio EoIP IPIP tunnels PPTP static server MikroTik RouterOS V2 6 Reference Manual 305 MikroTik Neig
207. Description Support file feature can be found under system submenu The file is stored in the file folder under admin MikroTik file gt You can download this file through ftp to send it to the MikroTik Support Example of Making Support Output File To make a Support Output File use the following command admineMikroTik gt system sup output creating supout rif file might take a while Accomplished admineMikroTik gt To see the files stored on the router use the following command admin MikroTik gt file print NAME TYPE SIZE CREATION TIME 0 supout rif unknown 38662 aug 12 2002 21 51 04 admineMikroTik gt Connect to the router using FTP and download the supout rif file using BINARY file transfer mode Send the supout rif file to MikroTik Support supportO mikrotik com with detailed description of the problem O Copyright 1999 2002 MikroTik MikroTik RouterOS V2 6 Reference Manual 385 System Resource Management Document revision 19 Nov 2002 This document applies to the MikroTik RouterOS v2 6 Overview MikroTik RouterOS offers several features for monitoring and managing the system resources Most of the system resource management tools are grouped under the system menu The user management logging feature and some other system features are described in separate manuals Contents of the Manual The following topics are covered in this manual e System Resource Monitor
208. E 00 06 4B 00 37 86 root ap root ap 00 00 00 00 00 00 00 06 4B 00 37 5E Below are step by step configurations for both units The system identities are set to MT parent and MT child respectively MT parent Configuration Assume you have interfaces etherl and atheros1 under interface list 1 Enable the Ethernet interface ether1 interface enable etherl 2 Configure atheros interface Set mode bridge ssid br8 frequency 5300MHZz and enable atheros1 interface you can use mode ap bridge if you have Atheros AP License interface atheros set atherosl mode bridge ssid br8 frequency 5300MHz disabled no 3 Add bridge interface and specify forwarded protocol list interface bridge add forward protocols ip arp other disabled no 4 Specify ports atheros1 and ether that belong to bridgel MikroTik RouterOS V2 6 Reference Manual 78 Atheros 5GHz 54Mbps Wireless Interface interface bridge port set etherl atherosl bridge bridgel 5 Assign IP address 10 0 0 217 24 to the bridgel interface ip address add address 10 0 0 217 24 interface bridgel 6 Set default route to 10 0 0 1 ip route add gw 10 0 0 1 MT child Configuration Assume you have interfaces ether and atheros under interface list Enable the Ethernet interface ether1 interfac nabl ther1 2 Configure atheros1 interface Here you have to specify root ap MAC address so the Atheros radio registers to the root AP Set mode br
209. ESS DST ADDRESS BYTES 0 0 0 0 0 0 0 65535 0 0 0 0 0 0 65535 0 admin MikroTik ip firewall rule forward gt To reset these counters reset counters command is used Some items might have statistics other than matched bytes and packets You can see it by using print stats command admin MikroTik ip ipsec gt policy print stats Flags X disabled I invalid 0 src address 10 0 0 205 32 any dst address 10 0 0 201 32 any protocol icmp ph2 state no phase2 in accepted 0 in dropped 0 out accepted 0 out dropped 0 encrypted 0 not encrypted 0 decrypted 0 not decrypted 0 admin MikroTik ip ipsec gt There is also migtht be print status command admin MikroTik routing bgp peer gt print status REMOTE ADDRESS REMOTE AS STATE ROUTES RECEIVED 0 159 148 42 158 2588 connected 1 admin MikroTik routing bgp gt MikroTik RouterOS V2 6 Reference Manual 28 Terminal Console Manual Normally the print command pauses after the screen is full and asks whether to continue or not Press any key other from Q or q to continue printing The without paging argument suppresses prompting after each screen of output You can specify interval for repeating the command until Ctrl C is pressed Thus you do not need to repeatedly press the Up Arrow and Enter buttons to see repeated printouts of a changing list you want to monitor Instead you use the argument interval 2
210. GHz wireless feature The wireless card does not register to the AP Check the cabling and antenna alignment Wireless Network Applications Two possible wireless network configurations are discussed in the following examples e Point to Multipoint Wireless Infrastructure e Point to Point Peer to Peer or Ad Hoc Wireless LAN MikroTik RouterOS V2 6 Reference Manual 89 ClSCO Aironet 2 4GHz 11Mbps Wireless Interface Point to Multipoint Wireless LAN Let us consider the following network setup with CISCO Aironet Wireless Access Point as a base station and MikroTik Wireless Router as a client ON Wireless ds Accesspoint na misma ssid mt frequency 2442 ES niia address 10 1 1 250 24 k Gateway 2 4GHz 10 1 1 254 Wireless Network 11Mbps A 10 1 1 0 24 l interface aironet ssid1 mt Wireless Router mode infrastructure mikrotik address 10 1 1 12 24 UU II Y interface Local address 192 168 0 254 24 Local Network 192 168 0 0 24 NO e Hub Workstation Laptop 192 168 0 1 192 168 0 2 The access point is connected to the wired network s HUB and has IP address from the network 10 1 1 0 24 The minimum configuration required for the AP is 1 Setting the Service Set Identifier up to 32 alphanumeric characters In our case we use ssid mt 2 Setting the allowed data rates at 1 11Mbps and the basic rate at 1Mbps 3 Choosing the frequency in our case we use 2442MHz
211. GT 68 Installing th IS A A A o i a eRe tie Eines 68 Loading the Driver for the Wireless Adapter ccc ceccceessecesnceeeeceeseeceeaeceeaeeceececeaeeeeaaeceaaeceeeeeaes 68 Wireless Interface Configuration ccceccceseccecsseceseceeseeceececeeneecaeeesaeceeaaeceacececeeeeeeeaaecseaaeneaeeceeeees 69 Station Mode CONSUMO a dde 70 Monitoring the Interface Status c cc ccdise casaceees cece icon do criada di A e a E an 70 Access Point Mode Configuration cceecccessccsssecesseceescecseeecesneeesaecesaecseaaeceaaeceeeeeeseeseaaeceeaeeneaeeseeeees 71 Registration Tal A ai 71 ACCESS iS E nidad ios e 72 Registering the Access Point to another Access POlMt oooonocccconcnionacononononccnononononannnnccnnn conc cc nncnninos 73 Troubleshooting irte ld ea EE Ind dE oia aida 73 Wireless Network Applications c cccccceessesencecssecesseceesaeceeeeceeeeecsaeeesueceeaaeceaeeceeeeesseeseaaecseaaeneaeeceeeees 74 AS AA AA NO 74 NA A O NANO 75 Wireless Bd rio 78 MT parent Contig tration eise ise e E ie EE Ee IRA nenas SES ETE aE E a 78 MP child Conf guration sse enira aeee AE EAEE E AEEA EE EEEE AE E EREE REE 79 Supported Hard WE air ee a A AEE aai osea dira diaria 79 MikroTik RouterOS V2 6 Reference Manual iii MikroTik RouterOS V2 6 Reference Manual Table of Contents A ccsecsscscssnnccessssadcsvivesssvuscseseceesseenetssesessncseosnccstees sunscensosevesosntesssaessvuesgonSesedscdunedesevesdadeseaecessess 80 CO VELVICW
212. Hardware Resource Usage se vcore satus radar iii idad 216 DNS Cache Description ii Gest tie seid ate cami Meade an See eee 216 DNS Cache Setups ci ia 216 Monitoring DNS Caches att te diaz Dian otis dei Stade 217 Additional RESUCITA EE E A ld 217 Firewall Filters and Network Address Translation NAT sscccsssssscssssssccessssccssssscecessscccessssccssssseeeess 218 ODAL aA CAE E EEE ESTEE E OE EE E deieosaddaeens cdgencaneseraacutensecdeieasebacwaaesces 218 Contents of the Malal a a edition 218 Firewall Installations A A A RA EE 218 Packet Flow through the Router cccssssssssscssscenscesnsecsstscssccsensesonsscssnsesnscsesacesenssesnsecssnsessnaeenaees 218 MikroTik RouterOS V2 6 Reference Manual ix MikroTik RouterOS V2 6 Reference Manual Table of Contents Firewall Filters and Network Address Translation NAT IP Firewall Configuration discutida nsdvcdaceteteccsuss ch cate avec a a aa E a aa o a dat darte 219 IP Firewall Common Arguments eccceccccsscessecesceceeeeeeeeeecsaeceaecseaaeceeaeceeeeesaeeeaeceeaeeseaeeceeeeees 220 Logging the Firewall ACt ons s 22 setagsdeciseeecndecans sao atada vedi ceded ilies ees 221 Marking the Packets Mangle and Changing the MOSS docococoninocononncconononnncnonnncnnnc cono cc cnnoconncccnnnnos 221 ire wall CHAS TA ES E A Ea ARE ate ty bee 222 Eirewall RU ia tdi sas 223 Masquerading and Source NAT nonini iiei eniai e EE E EN EO RRE OTE EA iaa a Eae 224 Re
213. ISDN the ISDN card driver must be loaded fadmin MikroTik driver gt add name hfc The PPP connection must have the following configuration A new user must be added to the routers one and two admin Mikrotik ppp secret gt add name backup password backup service isdn A ISDN server and PPP profile must be set up on the second router admin MikroTik ppp profile gt set default local address 3 3 3 254 remote address 3 3 3 1 admin MikroTik interface isdn server gt add name backup msn 7801032 A ISDN client must be added to the first router admin MikroTik interface isdn client gt add name backup user backup password backup phone 7801032 msn 7542159 Setting up Static Routes Use the ip route add command to add the required static routes and comments to them Comments are required for references in scrips The First router MikroTik RouterOS V2 6 Reference Manual 127 ISDN Interface admin Mikrotik ip route gt add gateway 2 2 2 2 comment routel The Second router admin Mikrotik ip route gt add gateway 2 2 2 1 comment routel Adding Scripts Add scripts in the submenu system script using the following commands The First Router admin Mikrotik system script gt add name connection_down source interfac nable backup ip route set routel gateway 3 3 3 254 admin Mikrotik system script gt add name connection_up source interface disable backup ip route set routel ga
214. L 2 32 r 0 0 0 0 0 cycladesl admin MikroTik ip route gt The configuration of the CISCO router at the other end part of the configuration is CISCO show running config Building configuration Current configuration interface Ethernet0 description connected to Ethernet LAN ip address 10 1 1 12 255 255 255 0 interface Serial0 description connected to MikroTik ip address 1 1 1 2 255 255 255 252 serial restart delay 1 j ip classless ip route 0 0 0 0 0 0 0 0 10 1 1 254 end CISCO Send ping packets to the MikroTik router CIscO ping 1 1 1 1 Typ scape sequence to abort Sending 5 100 byte ICMP Echos to 1 1 1 1 timeout is 2 seconds Success rate is 100 percent 5 5 round trip min avg max 28 32 40 ms CISCO Copyright 1999 2002 MikroTik MikroTik RouterOS V2 6 Reference Manual Ethernet Interfaces Document revision 29 Nov 2002 This document applies to the MikroTik RouterOS V2 6 Overview MikroTik RouterOS supports the following types of Ethernet Network Interface Cards e Most NE2000 compatible ISA and PCI cards e 3com 3c509 ISA cards e DEC Intel Tulip chip based cards e Intel Pro Gigabit PCI cards The complete list of supported Ethernet NICs can be found in the Device Driver Management Manual Contents of the Manual The following topics are covered in this manual e Ethernet Adapter Hardware and Software Installation Software Packages Software Lice
215. MikroTik gt interface set 0 1 2 mtu 1460 admin MikroTik gt interface print Flags X disabled D dynamic R running NAME TYPE MTU O R etherl ether 1460 1 R ether2 ether 1460 2 R ether3 ether 1460 3 R ether4 ether 1500 admineMikroTik gt This is handy when you want to perform same action on several items or do a selective export However this feature becomes really useful when combined with scripting General Commands Most command groups have some or all of these commands print set remove add find get export enable disable comment move These commands have similar behavior in all hierarchy print The print command shows all information that s accessible from particular command level Thus system clock print shows system date and time ip route print shows all routes etc If there s a list of items in this level and they are not read only i e you can change remove them example of read only item list is system history which shows history of executed actions then print command also assigns numbers that are used by all commands that operate on items in this list If there s list of items then print usually can have a from argument The from argument accepts space separated list of item numbers names if items have them and internal numbers The action printing is MikroTik RouterOS V2 6 Reference Manual 27 Terminal Console Manual performed on all items in this list in the sam
216. MikroTik Neta admin MikroTik Flags X disabled I 0 icmp options any 1 iia icmp options any limit time 0s ac 2 iii dst address 0 0 icmp options any src mac address limit time 0s ac 3 iia src address 0 0 dst address 0 0 icmp options any src mac address limit time 0s ac admin MikroTik ip fi 0 0 0 0 65535 out interface Public protocol all any tcp options any connection state any flow 00 00 00 00 00 00 limit count 0 limit burst 0 tion accept log no Reject and log everything else 0 0 0 0 65535 in interface all 0 0 0 0 65535 out interface Public protocol all any tcp options any connection state any flow 00 00 00 00 00 00 limit count 0 limit burst 0 tion reject log yes rewall rule forward gt Example of Source NAT Masquerading Public out interface OL Public log yes If you want to hide the private LAN 192 168 0 0 24 behind one address 10 0 0 217 given to you by the ISP see the network diagram in the Application Example above you should use the source network address translation masquerading feature of the MikroTik router The masquerading will change the source IP address and port of the packets originated from the network 192 168 0 0 24 to the address MikroTik RouterOS V2 6 Reference Manual 231 Firewall Filters and Network Address Translation NAT 10 0 0 217 of the router when the packet is routed through it To use masquerading a source NAT rule with action masquera
217. MikroTik interface pc gt monitor 0 synchronized no associated no error number 0 admin MikroTik interface pc gt If the wireless interface card is not registered to an AP the green status led is blinking fast To set the wireless interface for working with an IEEE 802 11b access point register to the AP you should set the following parameters e The service set identifier It should match the ssid of the AP Can be blank if you want the wireless interface card to register to an AP with any ssid The ssid will be received from the AP if the AP is broadcasting its ssid e The bitrate of the card should match one of the supported data rates of the AP Data rate auto should work for most of the cases All other parameters can be left as default To configure the wireless interface for registering to an AP with ssid mt it is enough to change the argument value of ssid1 to mt admin MikroTik interface pc gt set 0 ssidl mt admin MikroTik interface pc gt monitor 0 synchronized yes associated yes frequency 2412MHz data rate 11Mbit s ssid mt access point 00 02 6F 01 5D FE access point name signal quality 132 signal strength 82 error number 0 admin MikroTik interface pc gt If the wireless interface card is registered to an AP the green status led is blinking slow Wireless Troubleshooting e The pc interface does not show up under the interfaces list Obtain the required license for 2 4
218. MikroTik system script gt job print SCRIPT STARTED 0 DelayeD may 09 2001 03 32 18 admin MikroTik system script gt You can cancel execution of a script by removing it from the jobs list admin MikroTik system script gt job remove 0 admin MikroTik system script gt job print admineMikroTik system script gt print O name log test source log message kuku owner admin last started may 09 2001 03 36 44 run count 3 1 name DelayeD source delay 10m owner admin last started may 09 2001 03 32 18 run count 1 admineMikroTik system script gt Network Watching Tool Netwatch monitors state of hosts on the network It does so by sending ICMP pings to list of specified IP addresses For each entry in netwatch table you can specify IP address ping interval and console scripts The main advantage of netwatch is ability to issue arbitrary console commands on host state changes Here s an example configuration of netwatch It will run the scripts gw_1 or gw_2 which change the default gateway depending on the status of one of the gateways MikroTik system script gt add name gw_1 source ip route set ip route find dst 0 add name gw_2 source ip route set ip route find dst 0 MikroTik system script gt tool netwatch add host 10 0 0 217 interval 10s timeout 998ms up script gw_2 down script gw_1 MikroTik tool netwatch gt print Flags X disabled gateway 10 0 0 1 0 0 0 0 0 0 gateway 10 0 0 217 Mikr
219. N Voice Port for Voice over IP voip Numbers Regional Settings Audio CODEC e IP Telephony Accounting e IP Telephony Gatekeeper e IP Telephony Troubleshooting e IP Telephony Applications e Setting up the MikroTik IP Telephone e Setting up the IP Telephony Gateway e Setting up the Welltech IP Telephone e Setting up the MikroTik Router and CISCO Router IP Telephony Specifications Supported Hardware The MikroTik RouterOS V2 6 supports following telephony cards from Quicknet Technologies Inc http www quicknet net e Internet PhoneJACK ISA for connecting an analog telephone e Internet LineJACK ISA for connecting an analog telephone line or a telephone MikroTik RouterOS V2 6 Reference Manual 2 6 IP Telephony For supported ISDN cards please see the ISDN Interface Manual The MikroTik RouterOS V2 6 supports the Voicetronix OpenLine4 card for connecting four 4 analog telephone lines telephony cards from Voicetronix Inc http www voicetronix com au The MikroTik RouterOS V2 6 supports the Zaptel Wildcard X100P IP telephony card for connecting one analog telephone line from Linux Support Services http www digium com Supported Standards e Standards for VoIP The MikroTik RouterOS supports IP Telephony in compliance with the International Telecommunications Union Telecommunications ITU T specification H 323v4 H 323 is a specification for transmitting multimedia voice video and data acros
220. OL 0 D RealTek 8139 1 Moxa C101 Synchronous 0xd0000 fadmin MikroTik driver gt There can be several reasons for a failure to load the driver e The driver cannot be loaded because other device uses the requested IRQ Try to set different IRQ using the DIP switch e The requested memory base address cannot be used on your motherboard Try to change the memory base address using the DIP switches For the MOXA C101 PCI card driver is loaded automatically admin MikroTik gt driver print Flags I invalid D dynamic DRIVER IRQ IO MEMORY ISDN PROTOCOL 0 D Moxa C101 PCI 1 D RealTek 8139 admineMikroTik gt MikroTik RouterOS V2 6 Reference Manual 131 MOXA C101 Synchronous Interface Synchronous Interface Configuration If the driver has been loaded successfully no error messages and you have the required Synchronous Software License then the synchronous interface should appear under the interfaces list with the name syncn where n is 0 1 2 You can change the interface name to a more descriptive one using the set command To enable the interface use the enable command admin MikroTik gt interface print Flags X disabled D dynamic R running NAME TYPE MTU O R etherl ether 1500 1 X ether2 ether 1500 2 X ether3 ether 1500 3 X syncl sync 1500 admin MikroTik gt interface admin MikroTik interface gt set 3 name moxa admin MikroTik interface gt enable moxa admin MikroTi
221. P Route Management 1 S 192 168 0 0 16 r 10 10 10 2 1 Public 2 DC 10 0 0 0 24 00 00 50 0 Public admin MikroTik ip route gt print detail Flags X disabled I invalid D dynamic J rejected connect S static R rip O ospf B bgp O S dst address 0 0 0 0 0 preferred source 0 0 0 0 gateway 10 0 0 1 gateway state reachable distance 1 interface Public 1 S dst address 192 168 0 0 16 preferred source 0 0 0 0 gateway 10 10 10 2 gateway state reachable distance 1 interface Local 1 DC dst address 10 0 0 0 24 preferred source 10 0 0 217 gateway 0 0 0 0 gateway state reachable distance 0 interface Public admin MikroTik ip route gt Description of the printout number number assigned to the item in the list flag shows the status of the item dst address netmask destination address and network mask where mask is number of bits in the subnet mask gateway gateway host that can be reached directly through some of the interface You can specify multiple gateways separated by comma for equal cost multipath routes See more information on that below gateway state shows the status of the next hop Can be r reachable or u unreachable preferred source source address of packets leaving the router via this route Must be a valid address of the router which is assigned to the router s interface where the packet leaves Default value is 0 0 0 0 1 e it is determined at the ti
222. RESS G GATEWAY DISTANCE INTERFACE 0 S 0 0 0 0 0 AOL 1294 1 Public 1 DC 192 168 0 0 24 r 0 0 0 0 0 wl home 2 DC 10 1 1 0 24 0 02050 0 Public admin MikroTik ip route gt Testing the Network Connectivity Use the ping command to test the connectivity from the router admin home_gw gt ping 192 168 0 1 192 168 0 1 pong ttl 32 time 3 ms 192 168 0 1 pong ttl 32 time 2 ms 192 168 0 1 pong ttl 32 time 2 ms 3 packets transmitted 3 packets received 0 packet loss round trip min avg max 2 2 3 3 ms admin home_gw gt Copyright 1999 2002 MikroTik MikroTik RouterOS V2 6 Reference Manual 211 DHCP Client and Server Document revision 27 Nov 2002 This document applies to the MikroTik RouterOS V2 6 Overview DHCP Dynamic Host Configuration Protocol supports easy distribution of IP addresses for a network The MikroTik RouterOS implementation includes both server and client modes and is compliant with RFC2131 General usage of DHCP e IP assignment in LAN cablemodem and wireless systems e Obtaining IP settings on cable modem systems IP addresses can be bound to MAC addresses using static lease feature DHCP server can be used with MikroTik RouterOS HotSpot feature to authenticate and account for DHCP clients See the HotSpot Manual for more details Contents of the Manual The following topics are covered in this manual e Installation e Hardware Resource Usage e DHCP Description e DHCP Client
223. ROADCAST INTERFACE 0 10 1 0 1 24 10 1 0 0 1051 0 255 main_link ds 10 3 0 1 24 10 3 0 0 10 30 255 backup 2 192 168 0 1 24 192 168 0 0 192 168 0 255 local 3D 10 4 0 1 32 10 4 0 2 0 0 0 0 pptp outl OSPF peer 1 OSPF settings OSPF peer 1 gt routing ospf gt print router id 0 0 0 0 distribute default never redistribute connected as type 1 redist ribute static no redistribute rip no redistribute bgp no metric default 1 met OSPF peer 1 OSPF peer 1 O interface ric connected 20 metric static 20 metric rip 20 metric bgp 20 routing ospf gt interface add interface pptp outl cost 50 routing ospf gt interface print pptp outl cost 50 priority 1 authentication key retransmit interval 5s transmit delay 1s hello interval 10s dead interval 40s MikroTik RouterOS V2 6 Reference Manual 348 ENTIC Open Shortest Path First OSPF Routing Protocol OSPF peer 1 routing ospf gt area print Flags X disabled I invalid NAME AREA ID STUB DEFAULT COST AUTHENTICATION 0 backbone 0 0 0 0 none OSPF peer 1 routing ospf gt network print Flags X disabled I invalid NETWORK AREA 0 10 1 0 0 24 backbone il 10 4 0 2 32 backbone OSPF peer 1 routing ospf gt Routing Tables After the PPTP tunnel and OSPF protocol between two routers has been set up as described above and the links between them are operational the routing tables of the two ro
224. RY mode file transfer e Upload the software package files to the router and disconnect e View the information about the uploaded software packages using the file print command e Reboot the router by issuing the system reboot command or by pressing Ctrl Alt Del keys at the router s console Example output of the file print command admin MikroTik gt file print NAME TYPE SIZE CREATION TIME 0 ssh_host_key pub unknown 332 jan 23 2002 18 45 02 1 ssh_host_dsa_key pub unknown 603 jan 23 2002 18 45 08 2 cyclades 2 6beta4 npk package 114321 jan 31 2002 17 45 27 3 framerelay 2 6beta4 npk package 94632 jan 31 2002 17 45 29 fadmin MikroTik gt The installation upgrade process is shown on the console screen monitor attached to the router After successful installation the software packages installed can be viewed using system package print command Note The versions of packages should match the version number of the system software package Contents of the Software Packages System Software Package The system software package provides the basic functionality of the MikroTik RouterOS namely e IP address ARP static IP routing policy routing firewall packet filtering masquerading and static NAT traffic shaping queues IP traffic accounting MikroTik Neighbour Discovery IP Packet Packing DNS client settings IP service servers e Ethernet interfaces e IP over IP tunnel interfaces IPIP e Ether
225. Remote log server UDP port Used when logging type is remote If not set default log server UDP port is used Types of logging local logs are stored in local log buffer Local logs can be viewed using log print command none logs from this source are discarded remote logs are sent to remote log server Log Management Examples Use the log print command to view the local logs admin Mi TIME aug 12 2 aug 12 2 aug 12 2 aug 12 2 aug 12 2 aug 12 2 aug 12 2 aug 12 2 aug 12 2 aug 12 2 aug 12 2 aug 12 2 aug 12 2 more 002 16 42 002 16 42 002 16 42 002 16 50 002 19 20 002 19 23 002 19 23 002 19 26 002 19 26 O02 1933 002 19 38 002 19 39 002 19 OL 05 32 57 49 53 10 22 11 28 13 48 00 1 kroTik gt log print MESSA GE user user user user user route route route route added pool pool pool admin logged admin logged admin logged admin logged admin logged in via console in from 10 0 0 250 via ftp out from 10 0 0 250 via ftp in from 10 0 0 250 via telnet in via web changed by admin changed by admin changed changed prefix list a added a removed a added by admin To view complete not truncated log lines use the log print detail command fadmin MikroTik time aug 12 2002 16 42 32 message user admin logged in from 10 0 0 250 via ftp gt log print detail MikroTik RouterOS V2 6 Reference Ma
226. Resource Usage There is no other significant resource usage Traffic Monitor Description Each item in traffic monitor list consists of its name which is useful if you want to disable or change properties of this item from another script some parameters specifying traffic condition and the pointer to a script or scheduled event to execute when this condition is met Events monitor items are managed under tool traffic monitor submenu admin MikroTik tool gt traffic monitor print Flags X disabled I invalid NAME INTERFACE TRAFFIC TRIGGER THRESHOLD ON EVENT 0 turn_on etherl received above 15000 eth up 1 turn_off etherl received below 12000 eth down Argument description for traffic monitoring tool name Name of traffic monitor item interface Interface to monitor threshold Traffic threshold in bits per second trigger Condition on which to execute script above always below MikroTik RouterOS V2 6 Reference Manual 414 Traffic Monitor traffic Type of traffic to monitor transmitted received on event Script source Must be present under system script You should specify the interface on which to monitor the traffic the type of traffic to monitor transmitted or received the threshold bits per second The script is started when traffic exceeds the threshold in direction given by the trigger argument above means that script will be run each tim
227. Ring voltage impendance setting for line jack card dial tone frequency Frequency and volume gain of dial tone Hz x dB name New regional setting name ring tone cadence Ring tone cadence in ms 0 end of cadence ring tone frequency Frequency and volume gain of ring tone Hz x dB admin MikroTik ip telephony region gt To change for example the volume gain of both dial tone frequencies to 6dB for a user defined region office you need to enter the command admin MikroTik ip telephony region gt set office dial tone frequency 350x 6 440x 6 Audio CODEC The available Audio Coding and Decoding Protocols CODEC are listed under ip telephony codec menu admin MikroTik ip telephony codec gt print Flags X disabled NAME 0 G 723 1 6 3k sw 1 G 728 16k hw MikroTik RouterOS V2 6 Reference Manual 286 IP Telephony 711 ALaw 64k hw 7111 uLaw 64k hw 7111 uLaw 64k sw 711 ALaw 64k sw G 729A 8k sw GSM 06 10 13 2k sw LPC 10 2 5k sw 9 G 723 1 6 3k hw 10 G 729 8k sw admin MikroTik ip telephony codec gt OCOINAAHBWND 0000 CODECs are listed according to their priority of use The highest priority is at the top CODECs can be enabled disabled and moved within the list When connecting with other H 323 systems the protocol will negotiate the CODEC which both of them support according to the priority order The hardware codecs hw are built in CODECs supported by Quicknet cards If an ISDN card is used
228. Ss THE Wo A A Y o TON MikroTik RouterOS V2 6 Reference Manual MikroTik MikroTik RouterOS V2 6 Reference Manual Table of Contents MikroTik RouterOS V2 6 Basic Setup Guide cccsccssssccsssssssscssssccsscsssccsssssssssscsssscsscsscesssessssssssssssscees 1 AN A RR 2 Setting up MikroTik RouterOS ccccssscssssscssssscssssssssssssscssssncssscssscsssscssssssssssssssnscssscsssasssseessessssssnscsosssees 4 Downloading and Installing the MikroTik ROUtCTO SM ee ceeeceeeceesaeceececeeaeeceeeeesaeceeaaeeeaaeceeeeenees 4 1 Download the basic installation archive fil oooonononuuuuuuuouauocnonononononononononononoconononononinininananinnnos 4 2 Cr ate the installation DA cess a r A TEE svenska etessusnnhe ved EE voce SERE EE a 4 3 Install the MikroTik RouterOS SO Wall oooocococoooooooononononononocncnnnnnnnnnononononononononononanoninananananananos 5 Obtaining the Software Licenses innn n eeen i eae eai ea EE E S 5 Logging into the MikroTik RoUteL ooooonnccnnnccnonccnnncncnonaconnnonnnncnnnononnnannn na nnnn conocio cnn nr anna ran nc anno nannn ca nnnnnnnnss 7 Adding Software Packages iii as 7 Software A NON 7 Navigating the Terminal Comnsole sssssccsssssssssssssscsssscssscssssssssscssssassscsssssscssssssssscsssssssscscesssssssssssasessscens 8 Accessing the Router Remotely Using Web Browser and WinBox Consoll sccsssccsssssssssssssscsssescess 11 CDV EL VIC WG se
229. Static Routes Any static route can be added using the add command under the ip route menu You do not need to add routes to networks directly connected to the router since they are added automatically when adding the IP addresses However unless you use some routing protocol RIP or OSPF you may want to specify static routes to specific networks or the default route For example we can add two static routes to networks 192 168 0 0 16 and 0 0 0 0 0 the default destination address of a router with two interfaces and two IP addresses admin MikroTik ip route gt ip address print Flags X disabled I invalid D dynamic ADDRESS NETWORK BROADCAST INTERFACE 0 10 0 0 217 24 10 0 0 217 10 0 0 255 Public admin MikroTik ip route gt add creates new item with specified property values comment short description of the item copy from item number disabled distance dst address Destination gateway Gateway netmask Network mask preferred sourc Source address of packets leaving the router admin MikroTik ip route gt add dst address 192 168 0 0 16 gateway 10 0 0 2 admin MikroTik ip route gt add gateway 10 0 0 1 admin MikroTik ip route gt print Flags X disabled I invalid D dynamic J rejected C connect S static R rip O ospf B bgp DST ADDRESS G GATEWAY DISTANCE INTERFACE 0 5 20 70 0 0 0 r 10 0 0 1 1 Public MikroTik RouterOS V2 6 Reference Manual 307 I
230. TE a E E O N E Tias 100 Loading th DA A A S E aan aa 101 Ethernet Interface Comfi guration siei aeaea e ae E e a Ee e E ia 101 MikroTik RouterOS V2 6 Reference Manual iv MikroTik RouterOS V2 6 Reference Manual Table of Contents Ethernet over IP EoIP Tunnel Inter facce sscccsssssscssssssccessscccsssscccssssccccsssscccssssccecessccccssssssescssseceees 104 AA A ATA 104 Contents ot the MANU A e 104 AS NN NT 104 Hardware ReSourCe Usain rt il A A A a A des 104 EoIP Interface and Protocol DeScriptiOn cee eeeccessecesseceececeeececaeeeaaeceeaeeceaceceeeeseeeesaeceeaeeneaeeceaees 104 EoIP Setup ito titi a A ates O ats 105 EIP Application Example aia 106 Far Syne X 21 Interface EEEE cebesvenssanaocescessuscessonssdsetssnseoasevoaves coucsasencoanevoseesees 108 O VELV IC W585 5 s A Ee ER EEE BIE OE EEO RE 108 Contents of the Marta A la LA a 108 Synchronous Adapter Hardware and Software InstallatiQN ooonoonnnonicnnnccconccnoncconnnanonnccnnononnnccnnncn n 108 Software Packages cocotero diana dire REA Ada 108 Software LICENSE a ais 03 108 Synchronous Interface Configuration eeceecceeseceesseceeaceeeneececeesaeceeaecseaeceeeeeceaeeeaeceeaaeceaeeceeeeees 108 Trou bleshoOun es sccs cstexst tacos a E REEE E a ea sdtees lances oscilan 109 Synchronous Link Applications ccccsscssssscsssccssscssssssssssssssessssscsssscssesssssssssssesssssssssssssssssssesssssscsssascees 111 MikroTik Router to MikroTik RQ
231. Tik driver gt add name ne2k isa io 0x300 admin MikroTik driver gt print Flags I invalid D dynamic DRIVER IRQ IO MEMORY ISDN PROTOCOL 0 D RealTek RTL8129 8139 1 D NationalSemiconductors 83820 2 D Intel PRO 1000 Server Adaper 3 ISA NE2000 0x300 admineMikroTik driver gt There can be several reasons for a failure to load the driver e The driver cannot be loaded because other device uses the requested IRQ Try to free up the required IRQ or get a different card e The requested I O base address cannot be used on your motherboard Get another motherboard Note that for some ISA cards there is an utility that configures the resources used by the card Some other cards might have jumpers that control the same thing If another cards use the requested resource try changing these settings For more information on installing PCMCIA cards check Notes on PCMCIA Adapters first Ethernet Interface Configuration If the driver has been loaded successfully no error messages then the Ethernet interface should appear MikroTik RouterOS V2 6 Reference Manual 101 Ethernet Interfaces under the interfaces list with the name etherX where X is 1 2 You can change the interface name to a more descriptive one using the set command To enable the interface use the enable command admineMikroTik gt interface print Flags X disabled D dynamic R running NAME TYPE MTU 0 X etherl ether 1500 1 R et
232. Tik ip policy routing table main gt admin MikroTik ip policy routing table main gt ip route print Flags X disabled I invalid D dynamic J rejected G connect S static R rip O ospf B bgp DST ADDRESS G GATEWAY DISTANCE INTERFACE O Ss 192 168 1 0 24 r 192 168 0 50 1 Local 1 S 0 0 0 0 0 r 10 0 0 1 1 Public 2 DC 192 168 0 0 24 r 0 0 0 0 0 Local 3 DC 10 0 0 0 24 r 0 0 0 0 0 Public admin MikroTik ip policy routing table main gt Application Example for Policy Routing We want packets coming from 1 1 1 0 24 use gateway 10 0 0 1 and packets from 2 2 2 0 24 use gateway 10 0 0 2 And the rest of packets use gateway 10 0 0 254 assuming we already have it so 10 0 0 254 Network 10 0 0 024 22 D i 9 92 Pet interface Public MikroTik address 10 0 0 12 24 Router interface Local address 2 2 2 1 24 interface Local address 1 1 1 1 24 LAN Segment 1 LAN Segment 2 Commands to achieve this 1 Add 2 new routing tables admin MikroTik ip policy routing gt add name from_netl add name from_net2 admin MikroTik ip policy routing gt print Flags X disabled NAME 0 from_netl 1 from_net2 2 main admin MikroTik ip policy routing gt 2 Create the default route in each of the tables admin MikroTik ip policy routing gt table from_netl add gateway 10 0 0 1 admin MikroTik ip policy routing gt table from_net2 add gateway 10 0 0 2 MikroTik RouterOS V2 6 Re
233. UtOT ooooooooonnncnonononocccnnonononnnnnncnonononononononononanananananana conocia nana nar nana nonan 111 FrameRelay PV C Tinterfaces csiscscssssssans sonecseescesseesscessnnctssugedsenvsuocbssseesesetassesesssecsecesesnasgevesseedssnenvosetcssteasss 113 CDVELVIEW bis Sines EEE E ee aaa SARA sais 113 Frame Relay Installation on the MikroTik RouterOS ooooooncccnnocicioncconocononccnnncnnonnanoncccnnn conc ccnnncn ns 113 Configuring Frame Relay InterfaCe ooooccnnnccnnnncnnonnnnonccnncononcconnnconnnonnn no eE conc conan E EEE Eaa aas 114 Cyelades PEIOO interface inisee ae a rr dei 114 MOXASCCTO interfaces ani A Nh 114 Frame Relay PVC interfaces ie aia A a i ee a 115 Frame Relay Configuration Example with Cyclades Interface oooooonnccninocinncccnnnnconancnnnccnnnconnnconnnoss 115 Frame Relay Configuration Example with MOXA Interface eee eeccceesceceneeceeeeeeeeeeaeceeaeeeeneeeeaees 116 Frame Relay Troubleshooting snieni oiee rrien Eo EE a Ta E o easi 117 IP over IP APIP Tunnel Interface sesesseoecssoceesececssoceceececssccecsscecsseceeseoccsecceessccesseoeessecesseceessececsecseesseceee 119 COVELVICW a a AA TAT TPC CAG aR ER A aAA 119 Contents of thie Mama A vag Sav gE aaa hs 119 AOS RP REE ee E EE a a RT 119 Hardware Resource Us a A das 119 IPIP Interface and Protocol DeSscriptiony nuce ccenn an ea a a e a i e 119 IPIP Ennio E E E EEE E AE KE AOE RESE E E E 120 Additional RESQUIC a RA A e aia 120 ISDN TOter
234. VIEW ii aiscioivccicowsesaceusdsau pleases dadas 155 Contents of the Maa A IRE 155 Install iii ri iii sariseh salacdsonsedesioeatan 155 Hardware Resource Us alii dinero maderera ati idad 155 Serial Port Conti guration sis sgesataesseatasasees esti oaks codi aS Acida dias 156 PPP SERVER 025 sc35 cede Se5chtdehig E E oe geste ol caa OR aoa ds ahaa as ee A OE OBA hi ees 156 PERE TENES EU A A a tela doses 157 Additional RESOUICES at aa a TAREA tt alata di 159 Point to Point Protocol over Ethernet PPPOE sscccsssssscsssssecessssccscsscccecscccscssscecessscecessececessceecees 160 OVERVIEW G55 5 chesbisiedisaindesiadaevelodadeasbbaacsabbeacdbeescceacuscndeues cecereageseveas obcbees obebos ys cages saeaessavagevsavaneaseeaestacadas 160 PPPoE Installation on the MikroTik RouterOS ooocccccnnnnnocacanannononanonanancn nono nonononcnnnnonononococcnonononos 160 PPPOE hardware reSOUrce s gen siose eieae eE EEE AED ETAN AEAEE EAE SEE PEET Eais 161 PPPOE Client ashe ela ae ee ces ee aa 161 PPPoE Server Setup Access Concentrator ecccceescccecceceeeceeseeeseceeaceseaceceeeecaeceeaaeceeaeceeneeeeaees 162 PPPOE bandwidth Sete 9 csicsa tone ee iEn e AER AEE saladas ita dolia 162 PPPoE in a multipoint wireless 802 1 1b netwoTKk oocoonncnnnnnnnnnocononccconcnonnnccnnnncnnnc cono cc cnnoconnncrnnnnos 163 PPPOE Tro bl sho ting a ti EE E E E a o aa 163 Additional RESOUTCES irie rerea eare rin a E E E EE a EE eaat 163 Point to Point Tu
235. W e Aironet ISA PCI PC4500 2 4GHz DS 2Mbps Wireless LAN Adapters 100mW e CISCO AIR PCI340 2 4GHz DS 11Mbps Wireless LAN Adapters 30mW e CISCO AIR PCI PC330 352 2 4GHz DS 11Mbps Wireless LAN Adapters 100mW For more information about the CISCO Aironet PCI ISA adapter hardware please see the relevant User s Guides and Technical Reference Manuals in pdf format e 710 003638a0 pdf for PCI ISA 4800 and 4500 series adapters e 710 004239B0 pdf for PC 4800 and 4500 series adapters Documentation about CISCO Aironet Wireless Bridges and Access Points can be found in archives e AP48MAN exe for AP4800 Wireless Access Point e BRSOMAN exe for BR500 Wireless Bridge To use CISCO Aironet PCMCIA cards first check Notes on PCMCIA Adapters Contents of the Manual The following topics are covered in this manual e Wireless Adapter Hardware and Software Installation Software Packages Software License System Resource Usage Installing the Wireless Adapter Loading the Driver for the Wireless Adapter e Wireless Interface Configuration e Wireless Troubleshooting e Wireless Network Applications Point to Multipoint Wireless LAN Point to Point Wireless LAN Wireless Adapter Hardware and Software Installation Software Packages The MikroTik Router should have the aironet software package installed The software package file aironet 2 6 x npk can be downloaded from MikroTik s web page www MikroTik com To install the p
236. W6692 based adapters w6692 For example for the HFC based PCI card it is enough to use driver add name hfc command to get the driver loaded Check the loaded drivers by using the driver print command Example output looks like here admineMikroTik driver gt print Flags I invalid D dynamic DRIVER IRQ IO MEMORY ISDN PROTOCOL O D RealTek 8139 E HFC 2BDSO PCI euro fadmin MikroTik driver gt ISDN Channels ISDN channels are added to the system automatically when the ISDN card driver is loaded Each channel corresponds to one physical 64K ISDN data channel The list of available ISDN channels can be viewed using the isdn channels print command The channels are named channell channel2 and so on E g if you have two ISDN channels and one of them currently used by an ISDN interface but the other available the output should look like this admin MikroTik isdn channels gt print Flags X disabled E exclusive NAME CHANNEL DIR TYPE PHONE 0 channell 0 in data 137 1 channel2 1 fadmin MikroTik isdn channels gt ISDN channels are very similar to PPP serial ports Any number of ISDN interfaces can be configured on a single channel but only one interface can be enabled for that channel at a time It means that every ISDN channel is either available or used by an ISDN interface MikroTik RouterOS V2 6 Reference Manual 122 ISDN Interface MSN and EAZ numbers In Euro ISDN a su
237. With Bytes First In First Out BFIFO and Packets First In First Out PFIFO packets are served in the same order as they are received The only difference between BFIFO and PFIFO is that PFIFO has a length measured in packets BFIFO in bytes Generally you do not want to use BFIFO or PFIFO as traffic shapers It s better to use them just for statistics as they are pretty fast The only exception is when you are running out of resources with RED and or with complicated queue tree Stochastic Fair Queuing SFQ cannot limit traffic at all Its main idea is to equalize sessions not computer traffic but session traffic it is sometimes mentioned as SFQ drawback when your link is completely full It works in round robin fashion giving each session a chance to send sfq allot bytes Its algorithm can distinguish only 1024 sessions and that is why several sessions can be treated as one Each sfq perturb seconds it drops internal table mixing all the connections and creates a new table As it is very fast you may want to use it as a child queue The normal behavior of queues is called tail drop Tail drop works by queuing up to a certain amount then dropping all traffic that spills over Random Early Detection RED is also known as Random Early Drop because it actually works that way statistically drops packets from flows before it reaches its hard limit This causes a congested backbone link to slow more gracefully It starts dropping packets w
238. abled I invalid D dynamic J rejected e connect S static R rip O ospf B bgp DST ADDRESS G GATEWAY DISTANCE INTERFACE MikroTik RouterOS V2 6 Reference Manual 345 Open Shortest Path First OSPF Routing Protocol 0 DO 0 0 0 0 0 E 10 302 110 backup 1 DC 192 168 0 0 24 r 0 0 0 0 0 local 2 DO 10 2 0 0 24 r 10 302 110 backup 3 DC 10 3 0 0 24 r 0 0 0 0 0 backup 4 DC 10 1 0 0 24 r 0 0 0 0 0 main_link 5 DO 10 0 0 0 24 r 10 302 110 backup admin OSPF peer 1 gt On the Peer 2 admin OSPF peer 2 gt ip route print Flags X disabled I invalid D dynamic J rejected C connect S static R rip O ospf B bgp DST ADDRESS G GATEWAY DISTANCE INTERFACE 0 DO 0 0 0 0 0 r 10 2 0 2 110 main 1 DO 192 168 0 0 24 E LO0 3 OL 110 to peerl 2 DC 10 2 0 0 24 r 0 0 0 0 0 main 3 DC 10 3 0 0 24 r 0 0 0 0 0 to peerl 4 DO 10 1 0 0 24 E 10 202 LLO main 5 DO 10 0 0 0 24 E LO 2 0 2 110 main admin OSPF peer 2 gt The change of the routing takes approximately 40 seconds the hello interval setting If required this setting can be adjusted but it should be done on all routers within the OSPF area OSPF Backup using Encrypted Tunnel through a Third Party This example shows how to use OSPF for backup purposes if you have to use third party link for backup and you are not controlling the routers on the backup link Internet OSPF Main isp2 70 2 0
239. ace use the enable command MikroTik RouterOS V2 6 Reference Manual 139 MOXA C502 Synchronous Interface admin MikroTik gt interface print Flags R BWNYE O x MK OX admin MikroTi X disabled D dynamic R running NAME TYPE MTU ether1 ether 1500 ether2 ether 1500 ether3 ether 1500 moxal moxa 1500 moxa2 moxa 1500 gt interface Tik admin MikroTik interface gt set 3 name moxa Tik admin MikroTi interface gt enable moxa admin MikroTik interface gt print Flags R X X Ss UN RO X X disabled D dynamic R running NAME TYPE MTU ether1 ether 1500 ether2 ether 1500 ether3 ether 1500 moxa moxa 1500 moxa2 moxa 1500 admin MikroTik gt More configuration and statistics parameters can be found under the interface moxa c502 menu admin MikroTik interface gt moxa c502 admin MikroTik interface moxa c502 gt print Flags 0 X X disabled R running name moxal mtu 1500 line protocol sync ppp clock rate 64000 clock source external frame relay lmi type ansi frame relay dce no cisco hdlc keepalive interval 10s name moxa2 mtu 1500 line protocol sync ppp clock rate 64000 clock source external frame relay lmi type ansi frame relay dce no cisco hdlc keepalive interval 10s fadmin MikroTik interface moxa c502 gt Argument description numbers Interface number in the list cisco hdlc keepalive interval
240. ackage please upload the correct version file to the router and reboot Use BINARY mode ftp transfer MikroTik RouterOS V2 6 Reference Manual 85 CISCO Aironet 2 4GHz 11Mbps Wireless Interface After successful installation the package should be listed under the installed software packages list for example admin MikroTik gt system package pr Flags I invalid NAME VERSION BUILD TIME UNINSTALL 0 system 2 6beta3 jul 31 2002 14 05 02 no a ppp 2 6beta3 jul 31 2002 14 05 25 no 2 pppoe 2 6beta3 jul 31 2002 14 05 42 no 3 pptp 2 6beta3 jul 31 2002 14 05 39 no 4 aironet 2 6beta3 jul 31 2002 14 05 45 no fadmin MikroTik gt Software License The 2 4GHz wireless adapters require the 2 4GHz wireless feature license One license is for one installation of the MikroTik RouterOS disregarding how many cards are installed in one PC box The wireless feature is not included in the Free Demo or Basic Software License The 2 4GHz Wireless Feature cannot be obtained for the Free Demo License It can be obtained only together with the Basic Software License System Resource Usage Before installing the wireless adapter please check the availability of free IRQ s and I O base addresses admin MikroTik gt system resource irq print Flags U unused IRQ OWNER 1 keyboard 2 APIC U 3 4 syncl U 5 U 6 U 7 U 8 U 9 U 10 11 etherl U 12 13 FPU 14 IDE 1 admin MikroTik gt system resourc
241. ae 393 Installation EEE E A rR ER E ARET A ANE NEE T 393 Hardware Resource Usage iodo ici ove eds EEE a nS Eee e Ee EEES E S e o e Taah 393 Telnet Client Description A E EERTE EE ave EE ET T aa 393 Telnet Chent Examples iaa e REEE EE AEE EEEE E EE eA OEE 393 MikroTik RouterOS V2 6 Reference Manual xvi MikroTik RouterOS V2 6 Reference Manual Table of Contents RA A O 395 A BELO ELOI A Ontents TETA EIE EEE AEA A tae eR 395 UM AA A A E 395 Specifications IR a ne ees 395 Cable hdd Amel Ahan td a nutes dee o E 396 UPS Monitor Setups sicce ete cds att cols sok ea AAC Saa E A E EA e A ct 396 Property Descrip sionista elas tsee VENEA ico de 396 NE re ATS 397 Example nit nidad nda tadadhebabacteest aagesbvadessel sae 397 RUMOR daa AEEA 397 DESCUIDO ii N N ee aad Gin ea iii Gel a aan en aa AA 397 Not ts e SS 398 Exampleri e te Gated es e en din iO Bede cated 398 UPS MOnitOrin amp eii enine RT 398 Property Descrip air 398 Example e E e eyed sy anes vet EE S EEE E eden ales a 398 Additional RESOUICES s jicssssssccsssiageecadaderarledesdscacceascsccsovascacosadacacesae aceeeosdiseess sags sdeswevonstaceoabandsavssacsbecated 399 ARTO O 400 DRA NON 400 Contents ofthe Mandala a daa da it i di saved sbhavaldaaededGabataddeacnd 400 User Management aa ti A A IA At 400 User TOUS iris siria 401 PATO O 403 DA A A A A TR 403 Italo a Ue 403 Hardware Resource USE ii id 403 Bandwidth Test Descriptions evs sg 324 20d atan ies a E ADD de
242. aeeeeeeeceaeceaecseaaecseaeceeneeesas 203 Wireless Troubleshooting iii denies deve wees tens saneves dante orar sets 205 Wareless Network Applic OS utilice lacacoenncegaveadsscadbes ductelstages la isis bate ceethisavsigtsade 205 Point to Multipoint Wireless LAN c cccesccessscessseceeeceeseeeesaeceaeceeaaeceeneceeeeeaeeeaaeceeaaeceaeeceeeees 205 IP Network Configuration cee e ooer ESETEKEN DONE EDNET EAER RE EERE S aaas 206 Point to Point Wireless LAN in e a aa aea a n a a aae aaria ksi 207 IP Network Configuration eee ceccccescessseesseeceeeeeceececsaeceeseceeaaeceeaeeeeeeecaeeeaeeeeaaeceeaeceeeeessas 208 Testing the Network Connectivity n eeni a a i ai a a ii 209 Point to Point Wireless LAN with Windows ClleDt oooonoconocononuonononononanannonnnonononcnnononononocononononos 209 IP Network Configuration eiii in 210 Testing the Network Connectivity ceccecssccesneeceeeeceeecesaeceeaaecseceeseneecaeeesaeceeaaeceeaeceeeeessas 211 DHCP Client ANG Server annia EEN AATETTA ANE ENANAR 212 OVER RC RR di 212 Contents ofthe Manual idad ai a A ae ada 212 AN E E E ERA A E RN 212 Hardware Resource US ase tenrias a eee EEA E TE aE EEE E E o ian 212 DHCP DESC da 212 DHCP Cli nt Sellos clica ticas 213 AA A NOS 213 SAME LOS 215 Additional DHCP RESCUE Ei 215 A lavseblesesetuest svessssssusssssceddaseseleesecteessectuasedesdavedescetiesscenssssdesseleestessse 216 OU ii 216 Contents MA aa 216 Installation iii iio its 216
243. affic accounting table One IP pair will have computer A as the source and computer B as the destination Another IP pair will have computer B as the source and computer as the destination Threshold settings The threshold setting limits the maximum number of IP pairs in the accounting table When the limit is reached no new IP pairs will be added to the accounting table Each packet that is not accounted for in the accounting table will then be added to the uncounted counter To see if the limit on pairs has been reached check the uncounted counter MikroTik ip accounting uncounted gt print packets 0 bytes 0 When a snapshot is made for data collection the accounting table is cleared and new IP pairs and traffic data are added The more frequently traffic data is collected the less likelihood that the IP pairs threshold limit will be reached It is suggested that traffic data be collected every 15 minutes MikroTik RouterOS V2 6 Reference Manual 300 IP Traffic Accounting Traffic data display and collection The traffic data can be viewed by both the telnet terminal console and WinBox The traffic data can be collected manually or by using standard Unix Linux utilities and MikroTik s shareware MT_Syslog Daemon and Traffic Counter This manual section will cover e Snapshots e Web report setup The traffic accounting system consists of a current accounting table and a snapshot image When the snapshot image is made of t
244. ames of properties that can be accessed by get are the same as shown by print command plus names of item flags like the disabled in the example above You can use tab key completions to see what properties any particular get command can return More on syntax It is possible to include comments in console scripts If script line starts with all characters until newline are ignored It is possible to put multiple commands on single line separating them by Console treats as end of line when separating script text into commands If you want to use any of characters in string you have to prefix them with character Console takes any character following literally without assigning any special meaning to it except for such cases a bell alarm character code 7 b backspace character code 8 NE form feed character code 12 n newline character code 10 Mr carriage return character code 13 NE tabulation character code 9 v vertical tabulation character code 11 Ya space character code 32 Also followed by any amount of whitespace characters spaces newlines carriage returns tabulations followed by newline is treated as a single whitespace except inside quotes where it is treated as nothing This is used by console to break up long lines in scripts generated by export commands Copyright 1999 2001 MikroTik MikroTik RouterOS V2 6 Reference Manual 46 SSH Installation and Usag
245. anagement for the whole traffic leaving an interface or for certain source and or destination addresses For more sophisticated queue setup use the queue trees described further on To add simple queues use the queue simple add command admin MikroTik queue simple gt add dst address 192 168 0 0 24 interface etherl Y limit at 128000 admin MikroTik queue simple gt print Flags X disabled I invalid 0 name src address 0 0 0 0 0 dst address 192 168 0 0 24 interface etherl limit at 128000 queue default priority 8 bounded yes admin MikroTik queue simple gt Argument description name descriptive name for the queue src address Source IP address Can be set in the form a b c d n where n is network mask src netmask Source netmask in decimal form a b c d dst address Destination IP address Can be in the form a b c d n dst netmask Destination netmask in decimal form a b c d interface Outgoing interface of the traffic flow limit at Maximum stream bandwidth bits s 0 means no limit default for the interface queue queue type If you specify the queue type other than default then it overrides the default queue type set for the interface under queue interface See the queue type for available types priority Flow priority 1 8 1 is the highest bounded Queue is bounded To track how the rules are processed see the bytes and packets counters for the queues admin
246. and thereby help to discover network bottlenecks The ICMP test uses two standard echo requests per second Time between these pings can be changed As ping packet size can be varied it is possible to evaluate connection parameters and speed approximately with different packet sizes Statistics for throughput are calculated using the entire size of the ICMP packets interval between ICMP echo request and echo reply and differences between parameters of the first packets and the second Topics covered in this manual e Installation e Hardware Resource Usage e ICMP Bandwidth Test Description e Bandwidth Test Example Installation The ICMP Bandwidth Test feature is included in the advanced tools package The software package file advanced tools 2 6 x npk can be downloaded from MikroTik s web page www MikroTik com To install the package please upload the correct version file to the router and reboot Use BINARY mode ftp transfer Hardware Resource Usage There is no other significant resource usage ICMP Bandwidth Test Description admin MikroTik tool gt ping speed lt address gt do first ping size interval once print statistics once and quit second ping siz time between pings admin MikroTik tool gt ping speed Setting description do scription feature first ping size Size of the first ICMP packet default value 32 second ping size Size of the second ICMP packet default value 15
247. ansmitted 3 packets received 0 packet loss round trip min avg max 0 0 0 0 ms admin MikroTik ip route gt The workstation and the laptop can reach ping the router at its local address 192 168 0 254 If the router s address 192 168 0 254 is specified as the default gateway in the TCP IP configuration of both the workstation and the laptop then you should be able to ping the router C gt ping 192 168 0 254 Reply from 192 168 0 254 bytes 32 time 10ms L 253 Reply from 192 168 0 254 bytes 32 time lt l0ms L 253 Reply from 192 168 0 254 bytes 32 time lt 1l0ms L 253 C gt ping 10 0 0 217 Reply from 10 0 0 217 bytes 32 time 10ms L 253 Reply from 10 0 0 217 bytes 32 time lt l10ms L 253 Reply from 10 0 0 217 bytes 32 time lt 1l0ms L 253 C gt ping 10 0 0 Request timed ou Request timed ou Request timed ou tots es GENS You cannot access anything beyond the router network 10 0 0 0 24 and the Internet unless you do the following e Use source network address translation masquerading on the MikroTik router to hide your private LAN 192 168 0 0 24 see the information below or e Add a static route on the ISP s gateway 10 0 0 1 which specifies the host 10 0 0 217 as the gateway to network 192 168 0 0 24 Then all hosts on the ISP s network including the server will be able to communicate with the hosts on the LAN To set up routing it is required that you have s
248. are Installation Please install the ISDN adapter into the PC accordingly the instructions provided by the adapter manufacturer The ppp 2 6 x npk less than 310KB and the isdn 2 6 x npk less than 390KB packages are required The packages can be downloaded from MikroTik s web page www mikrotik com To install the packages please upload them to the router with ftp and reboot You may check to see if the packages are installed with the command admin MikroTik system package gt print Flags I invalid NAME VERSION BUILD TIME UNINSTALL 0 ppp 2 6rc4 sep 11 2002 14 43 31 no 1 system 2 6rc4 sep 11 2002 14 43 03 no 2 isdn 2 6rc4 sep 11 2002 15 06 32 no admin MikroTik system package gt MikroTik RouterOS V2 6 Reference Manual 121 ISDN Interface Loading the ISDN Driver The ISDN driver should be loaded using the driver add command fadmin MikroTik driver gt add name driver_name Argument description driver_name name of the driver The list of available drivers can be obtained by entering driver add name and pressing Tab twice isdn protocol data channel protocol the default is euro Complete list of all supported ISDN adapters and their driver names e Eicon Diehl Diva diva e Sedlbauer Speed sedIbauer e ELSA Quickstep 1000 elsa e NETjet netjet e Teles teles e Dr Neuhaus Niccy niccy e AVM avm e Gazel gazel e HFC 2BDSO0 based adapters hfc e
249. are conflicts The list of PCI drivers is below ne2k pci Driver is suitable for the Ethernet cards with RealTek RTL 8029 chip RealTek RTL 8029 Winbond 89C940 and 89C940F Compex RL2000 MikroTik RouterOS V2 6 Reference Manual 62 Device Driver Management KTI ET32P2 NetVin NV5000SC Via 86C926 SureCom NE34 Holtek HT80232 Holtek HT80229 3c95x 3Com 3c590 3c900 series Vortex Boomerang driver This device driver is designed for the 3Com FastEtherLink and FastEtherLink XL 3Com s PCI to 10 100baseT adapters It also works with the 10Mbs versions of the FastEtherLink cards The supported product IDs are 30590 30592 30595 30597 3c900 3c905 30590 Vortex 10Mbps 30595 Vortex 100baseTx 30595 Vortex 100baseT4 30595 Vortex 100base MII 3Com Vortex 3c900 Boomerang 10baseT 3c900 Boomerang 10Mbps Combo 3c900 Cyclone 10Mbps Combo 3c900B FL Cyclone 10base FL 3c905 Boomerang 100baseTx 3c905 Boomerang 100baseT4 3c905B Cyclone 100baseTx 3c905B Cyclone 10 100 BNC 3c905B FX Cyclone 100baseFx 3c905C Tornado 3c980 Cyclone 3cSOHO100 TX Hurricane 3c555 Laptop Hurricane 3c575 Boomerang CardBus 3CCFE575 Cyclone CardBus 3CCFE656 Cyclone CardBus 3c575 series CardBus unknown version 3Com Boomerang unknown version eepro100 Intel 182557 182558 i82559ER i82801BA 7 PCI EtherExpressPro driver This device driver is designed for the Intel 182557 Speedo3 chip Intel s single chip fast Ethernet
250. asnasdeeateesan dadeets A 403 Bandwidth Test Server Configuration cccccccessseceseceeeeeeesecesaeceeaaeceececeeeeeeaeeeaeeeeaaeceaeeseeeeens 403 Bandwidth Test Client Comfiguration ccccecceesseceenceeeececsnecesaeceeaaeceeeeceeeeessaeeeaeceeaaeceaeeeeeeeees 404 Bandwidth Test Example ii nilo E ida 405 Dynamic DNS DDNS Update Tools scissseccsssescecacsessveseosssessesensosnsessesesvuscesosessentesesosseensssnwes deessassnccnsedsvecsese 406 a ci 406 Contents ofthe Manual a a a a aa aaaea bas 406 TAO A AA AAA ETA TAE PO E da 406 Hardware Resource Ucrania tai er tas A A A tt 406 Dynamic DNS Update Description isi ccccsssesecsssseccescceestavusassunsagenteseessevaeuedbea canaaaveaacousscodentosvauvenaged 406 Dynamic DNS Update Example sica sane sug souvae Soca TEE REARS 407 Additional RESQUICES urticaria riada badedsodsvaceusabandsubendestauaead 407 ICMP Band Width Testi cisccsiscccccectesnectessccicesdesctestevcssssenseectevoiscsenoucesdeosccsesnteebesnccussbeneseseeteeesvebbeesvevecsesvessessie 408 OVA A A ns 408 Install ON ad e LA a Pr ee 408 Hardware Resource Usage civociniion ces sctceeescchuvestunccersnedette E E EAE En Aedes isa 408 ICMP Bandwidth Test Description cceecceecccecsseceseceesceceececeeeeeesaeeeaaeceeaeeceaeeceeeeeeeseaaeceeaeeneaeeceaees 408 Bandwidth Test Example A dla 409 A O 410 DA a GEE ROCESS 410 Install A A A AIS ONE 410 MikroTik RouterOS V2 6 Reference Manual xvii MikroTik
251. at gt print Flags X disabled I invalid 0 src address 0 0 0 0 0 0 65535 dst address 0 0 0 0 0 0 65535 out interface Public protocol all icmp options any any flow limit count 0 limit burst 0 limit time 0s action masquerade to src address 0 0 0 0 to src port 0 65535 bytes 0 packets 0 admineMikroTik ip firewall src nat gt Please consult the Firewall Manual for more information on masquerading Application Example with Bandwidth Management Mikrotik RouterOS V2 6 offers extensive queue management For information on queue management please refer to the relevant manual Assume you want to limit the bandwidth to 128kbps on downloads and 64kbps on uploads for all hosts on the LAN Bandwidth limitation is done by applying queues for outgoing interfaces regarding the traffic flow It is enough to add two queues at the MikroTik router admin MikroTik queue simple gt add interface Local limit at 128000 admin MikroTik queue simple gt add interface Public limit at 64000 admin MikroTik queue simple gt print Flags X disabled I invalid 0 name src address 0 0 0 0 0 dst address 0 0 0 0 0 interface Local limit at 128000 queue default priority 8 bounded yes 1 name src address 0 0 0 0 0 dst address 0 0 0 0 24 interface Public limit at 64000 queue default priority 8 bounded yes admin MikroTik queue simple gt Leave all other parameters as set by default The limit is approximately 128kbps going to the LAN and 64k
252. ath First OSPF Routing Protocol Internet OSPF Main peer2 10 20 2 main 10 20 71 peer 10 7 0 2 costa OSPF peer 2 main_link 10 101 backup 10 3 0 1 OSPF peer 1 focal 192 168 0 1 LAN 192 168 0 0 24 After changing the cost settings we have only one equal cost multipath route left to the network 10 3 0 0 24 from the OSPF Main router On the main OSPF router admin OSPF Main gt ip route print Flags X disabled I invalid D dynamic J rejected Cc connect S static R rip O ospf B bgp DST ADDRESS G GATEWAY DISTANCE INTERFACE 0 S 0 0 0 0 0 r 10 0 0 1 1 main_gw 1 DO 192 168 0 0 24 r 10 1 0 1 110 peerl 2 DC 10 2 0 0 24 r 0 0 0 0 0 peer2 3 DO 10 3 0 0 24 r 10 2 0 1 110 peer2 FLO 61 2042 peerl 4 DC 10 1 0 0 24 r 0 0 0 0 0 peerl 5 DC 10 0 0 0 24 r 0 0 0 0 0 main_gw adminetOSPF Main gt On the Peer 1 admin OSPF peer 1 gt ip route print Flags X disabled I invalid D dynamic J rejected Cc connect S static R rip O ospf B bgp DST ADDRESS G GATEWAY DISTANCE INTERFACE 0 DO 0 0 0 0 0 r 10 1 0 2 110 main_link 1 DC 192 168 0 0 24 r 0 0 0 0 0 local 2 DO 10 2 0 0 24 r 10 1 0 2 110 main_link 3 DC 10 3 0 0 24 r 0 0 0 0 0 backup 4 DC 10 1 0 0 24 000 050 0 main_link 5 DO 10 0 0 0 24 r 10 1 0 2 110 main_link admin OSPF peer 1 gt On the Peer 2 admin OSPF peer 2 gt ip route print Flag
253. ation Example with MOXA Interface Let us consider the following network setup with MikroTik Router with MOXA C101 synchronous interface connected to a leased line with baseband modems and a CISCO router at the other end admin MikroTik ip address gt add interface pvcl address 1 1 1 1 netmask 255 255 255 0 admin MikroTik ip address gt print Flags X disabled I invalid D dynamic ADDRESS NETWORK BROADCAST INTERFACE 0 1 11 91 24 Lalo bet 255 pvcl admin MikroTik ip address gt PVC and Moxa interface configuration Moxa admin MikroTik interface synchronous gt print Flags X disabled R running 0 R name sync1 mtu 1500 line protocol frame relay clock rate 64000 clock source external frame relay lmi type ansi frame relay dce no MikroTik RouterOS V2 6 Reference Manual 116 FrameRelay PVC Interfaces cisco hdlc keepalive interval 10s ignore dcd no admineMikroTik interface synchronous gt PVC admin MikroTik interface pvc gt print Flags X disabled R running NAME MTU DLCI INTERFACE 0O R pvcl 1500 42 syncl fadmin MikroTik interface pvc gt CISCO router setup CISCO show running config Building configuration Current configuration ip subnet zero no ip domain lookup frame relay switching interface Ethernet0 description connected to Ethernet LAN ip address 10 0 0 254 255 255 255 0 j interface Serialo d
254. authentication yes default forwarding yes max clients 2007 card type generic tx power auto supported rates 1 11 basic rates 1 admin MikroTik interface prism gt Note for CISCO Aironet Wireless Bridge and Access Point users When working with Prism II chipset based clients the CISCO Aironet Wireless Bridge or AP should have the following settings the Proprietary Extensions should be turned off under Configuration Radio 802 11 menu the Encapsulation Protocol should be RFC1042 under MikroTik RouterOS V2 6 Reference Manual 178 Prismll Wireless Client and Wireless Access Point Manual Configuration Radio 802 11 Encapsulation menu Monitoring the Interface Status In station mode the prism interface status can be monitored using the interface prism monitor command admin MikroTik interface prism gt monitor 0 status connected to ess data rate 11Mbps ssid testing bssid 00 03 2F 04 25 10 signal quality 92 signal level 54 noise level 99 admin MikroTik interface prism gt Argument description status status of the interface searching for network the card has not registered to an AP and is searching for one to register to connected to ess the card has registered to an AP out of range the card has registered to an AP but lost the connection to it data rate the actual data rate of the connection ssid the Service Set Identifier bssid the Basic Servic
255. authorized as this user If there is no match client is asked for username and password The RADIUS attributes for limit bytes in and limit bytes out are Mikrotik Recv Limit 14988 1 and Mikrotik Xmit Limit 14988 2 These limits are total limits for each user not for each session as at ip hotspot active So if user has already downloaded something then session limit will be total limit minus already downloaded For example if download limit for user is 100MB and user has already downloaded 30MB then session download limit after login at ip hotspot active will be 100MB 30MB TOMB If user will reach his limits bytes in gt limit bytes in or bytes out gt limit bytes out he will not be able to log on anymore All these limits limit uptime limit bytes in limit bytes out can be used for pre paid solutions Probably quota is a good name for such limits Along with these parameters some statistics are available for each user admin MikroTik ip hotspot user gt print stats Flags X disabled NAME UPTIME BYTES IN BYTES OUT PACKETS IN PACKETS OUT 0 ax 29m40s 187476 327623 683 671 admin MikroTik ip hotspot user gt Statistics include uptime total time user has been logged in bytes in total bytes received from user bytes out total bytes sent to user packets in total packets received from user packets out total packets s
256. ble Another important case is add commands which return internal number of newly created item admin MikroTik interface gt user admin MikroTik user gt put add name z password x group full a admineMikroTik user gt This way you can store it in variable for later use Expressions Console can do a simple math with numbers time values ip addresses and strings and lists It is done by writing expressions putting them in parentheses and admin MikroTik user gt put 1 2 3 admin MikroTik user gt interface admin MikroTik interface gt put find type ipip find type ether 6 A B admineMikroTik interface gt Supported operations are e logical negation Unary operation Argument is a truth value Result is an opposite truth value admin MikroTik interface gt put true false admin MikroTik interface gt put 2 gt 3 true admineMikroTik interface gt e unary minus Unary operation Argument and result is a number admin MikroTik interface gt put 1 lt 0 true admineMikroTik gt put 1 1 e bit inversion Unary operations Inverts bits in IP address admin MikroTik interface gt put 255 255 0 0 020 2553 255 admineMikroTik interface gt e sum Add together two numbers two time values or add number to an IP address admineMikroTik interface gt put 3s 5s 8s admin MikroTik interface gt
257. bled I invalid D dynamic J rejected MikroTik RouterOS V2 6 Reference Manual 308 IP Route Management connect S static R rip O ospf B bgp DST ADDRESS G GATEWAY DISTANCE INTERFACE O Ss 192 168 1 0 24 r 192 168 0 50 1 Local L 5 0 0 0007 0 r 10 0 0 1 dl Public 2 DC 192 168 0 0 24 r 0 0 0 0 0 Local 3 DC 10 0 0 0 24 E 00 00 0 Public admin MikroTik ip route gt set 0 gateway 192 168 0 50 192 168 0 51 10 0 0 17 admin MikroTik ip route gt print Flags X disabled I invalid D dynamic J rejected E connect S static R rip O ospf B bgp DST ADDRESS G GATEWAY DISTANCE INTERFACE O S 192 168 1 0 24 r 192 168 0 50 1 Local E MIZ AGS 202541 Local r 10 0 0 17 Public 1 S 0 0 0 0 0 r 100 0 1 1 Public 2 DC 192 168 0 0 24 r 0 0 0 0 0 Local 3 DC 10 0 0 0 24 r 0 0 0 0 0 Public admin MikroTik ip route gt Note that you can specify more than two gateways in the route Moreover you can repeat some routers in the list several times to do a kind of cost setting for gateways Policy Routing Policy routing is implemented using multiple routing tables and list of rules that specify how these tables should be used The Policy Routing is implemented in the MikroTik RouterOS based on source and destination addresses of the packet and on the interface the packet arrives at the router Note Policy routing will not function as desired for packets
258. bps leaving the client s LAN Please note that the queues have been added for the outgoing interfaces regarding the traffic flow Please consult the Queues Manual for more information on bandwidth management and queuing MikroTik RouterOS V2 6 Reference Manual 20 Application Examples Application Example with NAT Assume we have moved the server in our previous examples from the public network to our local one Internet ETT Internet Gatewa Public Network 10 0 0 10 0 0 0 24 MikroTik interface Public Router address 10 0 0 217 24 interface Local address 192 168 0 254 24 Local Network 192 168 0 0 24 Workstation Laptop Server 192 168 0 1 192 168 0 2 192 168 0 4 The server would have been s address now is 192 168 0 4 and we are running web server on it that listens to the TCP port 80 We want to make it accessible from the Internet at address port 10 0 0 217 80 This can be done by means of Static Network Address translation NAT at the MikroTik Router The Public address port 10 0 0 217 80 will be translated to the Local address port 192 168 0 4 80 One destination NAT rule is required for translating the destination address and port admin MikroTik ip firewall dst nat gt add action nat protocol tcp dst address 10 0 0 217 32 80 to dst address 192 168 0 4 admin MikroTik ip firewall dst nat gt print Flags X disabled I invalid 0 src address 0 0 0 0 0 0 65535 in interface all dst address 10 0 0 217
259. bscriber can assign more than one ISDN number to an ISDN line For example an ISDN line could have the numbers 1234067 and 1234068 Each of these numbers can be used to dial the ISDN line These numbers are referred to as Multiple Subscriber Numbers MSN A similar but separate concept is EAZ numbering which is used in German ISDN networking EAZ number can be used in addition to dialed phone number to specify the required service For dial out ISDN interfaces MSN EAZ number specifies the outgoing phone number the calling end For dial in ISDN interfaces MSN EAZ number specifies the phone number that will be answered If you are unsure about your MSN EAZ numbers leave them blank it is the default For example if your ISDN line has numbers 1234067 and 1234068 you could configure your dial in server to answer only calls to 1234068 by specifying 1234068 as your MSN number In a sense MSN is just your phone number ISDN Client Interface Configuration The ISDN client is used to connect to remote dial in server probably ISP via ISDN To set up an ISDN dial out connection use the ISDN dial out configuration menu under the interface isdn client submenu ISDN client interfaces can be added using the add command admineMikroTik interface isdn client gt add msn 142 user test password test phone 144 bundle 128K no admin MikroTik interface isdn client gt print Flags X disabled R running 0 X na
260. by policy that needs to provide encryption or authentication but doesn t have any SAs It notifies IKE daemon about that and IKE daemon initiates connection to remote host e IKE daemon responds to remote connection In both cases peers establish connection and execute 2 phases e Phase 1 peers agree on algorithms they will use in following IKE messages authenticate Also keying material used to derive keys for all SAs and to protect following ISAKMP exchanges between hosts is generated e Phase 2 peers establish one or several SAs that will be used by IPsec to encrypt data All SAs established by IKE daemon will have lifetime values either limiting time after which SA will become invalid or amount of data that can be encrypted by this SA or both There are two lifetime values soft and hard When SA reaches it s soft lifetime IKE daemon receives notice about it and starts another phase 2 exchange to replace this SA with fresh one If SA reaches hard lifetime it is discarded Perfect Forward Secrecy PFS that can optionally be provided by IKE is a property of key exchanges which for IKE means that compromising the long term phase 1 key will not allow to easily gain access to all IPsec data that is protected by SAs established through this phase 1 It means an additional keying material is generated for each phase 2 Generation of keying material is computationally very expensive Use of modp8192 group can take several se
261. by the software package e The package files have been uploaded to the router but they have not been installed Reboot the router e The version 2 2 x has been upgraded to the version 2 6 y but the connection to the router was lost after the reboot The configuration has been lost Using the console monitor and keyboard attached to the router restore the configuration Copyright 1999 2002 MikroTik MikroTik RouterOS V2 6 Reference Manual 55 MikroTik RouterOS V2 6 Specifications Sheet Document revision 21 Nov 2002 This document applies to the MikroTik RouterOS V2 6 Hardware CPU and motherboard advanced 4th generation core frequency 100MHz or more 5th generation Intel Pentium Cyrix 6X86 AMD K5 or comparable or newer Intel A 32 1386 compatible dual processors are not supported RAM minimum 32 MB maximum 1 GB 48 MB or more recommended hard disk Flash IDE minimum 32 MB 48MB or more recommended for installation floppy drive keyboard monitor Basic Network Platform TCP IP protocol suite Firewall and NAT packet filtering source and destination NAT source MAC addresses ports protocols protocol options interfaces Routing RIP 1 2 OSPF v2 BGP v4 Equal cost multi path routing Policy based routing firewall marked packet routing Bridging spanning tree protocol multiple bridge interfaces bridge firewalling Bandwidth Management per IP protocol subnet
262. c address 00 07 EB 30 E7 DA type client packets 0 19 bytes 0 482 signal level 69 75 138 noise level 0 0 0 data rate 10 110 110 tx rate 10 last update 00 00 00 840 uptime 00 02 59 180 1 interface prisml mac address 00 40 96 29 2F 80 type client packets 0 14 bytes 0 196 signal level 66 72 84 noise level 0 0 0 data rate 10 10 10 tx rate 10 last update 00 00 08 380 uptime 00 02 42 220 admin MikroTik interface prism gt Additional argument description only for wireless clients packets number of received and sent packets bytes number of received and sent bytes signal level min average max signal level noise level min average max noise level data rate min average max receive data rate tx rate transmit data rate last update time since the last update uptime time the client is associated with the access point MikroTik RouterOS V2 6 Reference Manual 180 Prismll Wireless Client and Wireless Access Point Manual Access List The access list is used by the access point to restrict authentications associations of clients This list contains MAC address of client and associated action to take when client attempts to connect Also the forwarding of frames sent by the client is controlled The association procedure is as follows when a new client wants to associate to the AP that is configured on interface prismX entry with client s MAC address and interface prismX is looked up i
263. ce Let us consider the following setup MikroTik RouterOS V2 6 Reference Manual 251 IP Addresses and Address Resolution Protocol ARP Internet Internet Gatewa 10 0 0 2 h i interface eth _AN ane 2 MikroTik address 10 0 0 217 24 o Router dynamic interfaces ERREA pppoe inX Reseed for dial in glients f addresses 10 0 0 217 32 3g al i y gt Laptop Workstation 10 0 0 231 10 0 0 230 The MikroTik router setup is as follows admin MikroTik ip arp gt interfac thernet print Flags X disabled R running NAME MTU MAC ADDRESS ARP O R eth LAN 1500 00 50 08 00 00 F5 proxy arp admin MikroTik ip arp gt interface print Flags X disabled D dynamic R running NAME TYPE MTU 0 eth LAN ether 1500 1 prisml prism 1500 2 D pppoe in25 pppoe in 3 D pppoe in26 pppoe in admin MikroTik ip arp gt ip address print Flags X disabled I invalid D dynamic ADDRESS NETWORK BROADCAST INTERFACE 0 10 0 0 217 24 10 0 0 0 10 20 0295 eth LAN 1 D 10 0 0 217 32 10 0 0 230 0 0 0 0 pppoe in25 2 D 10 0 0 217 32 10 0 0 231 0 0 0 0 pppoe in26 admin MikroTik ip arp gt ip route print Flags X disabled I invalid D dynamic J rejected C connect S static R rip O ospf B bgp DST ADDRESS G GATEWAY DISTANCE INTERFACE O S 0 0 0 0 0 r 10 0 0 1 1 eth LAN 1 DC 10 0 0 0 24 r 0 0 0 0 0 eth LAN 2 DC 10 0 0 230 32 r 0 0 0 0 0
264. ce bridge gt 2 Add the desired interfaces to the bridge interface admin MT_Prism_AP interface bridge port gt set etherl prisml bridge bridgel admin MT_Prism_AP interface bridge port gt print Flags X disabled INTERFACE BRIDGE 0 etherl bridgel 1 prisml bridgel admin MT_Prism_AP interface bridge port gt 3 Enable the bridge interface admin MT_Prism_AP interface gt print Flags X disabled D dynamic R running NAME TYPE MTU O R etherl ether 1500 1 R prismi prism 1500 2 X bridgel bridge 1500 admin MT_Prism_AP interface gt enable bridgel admin MT_Prism_AP interface gt print Flags X disabled D dynamic R running NAME TYPE MTU O R etherl ether 1500 1 R prismi prism 1500 2 R bridgel bridge 1500 admin MT_Prism_AP interface gt admin MT_Prism_AP admin MT_Prism_AP ip ip address gt add address 10 0 0 250 24 in address gt print Assign an IP address to the bridge interface and specify the default gateway for the access point terface bridgel Flags X disabled I invalid D dynamic ADDRESS NETWORK BROADCAST INTERFACE 0 10 0 0 250 24 10 0 0 0 1000255 bridgel admin MT_Prism_AP ip address gt route add gateway 10 0 0 1 admin MT_Prism_AP ip address gt route print Flags X disabled I invalid D dynamic J rejected C connect S static R rip O ospf B bgp DST ADDRESS G GATEW
265. ce port to be used when calling the specified telephone number prefix prefix which will be used to substitute the known part of the MikroTik RouterOS V2 6 Reference Manual 283 IP Telephony destination pattern i e the part containing digits The dst pattern argument is used to determine which voice port to be used whereas the prefix argument designates the number to dial over the voice port be sent over to the remote party If the remote party is an IP telephony gateway then the number will be used for making the call More than one entry can be added with exactly the same dst pattern If first one of them is already busy next one with the same dst pattern is used Telephony number entries can be moved to select desired order The main function of the numbers routing table is to determine 1 to which voice port route the call and 2 what number to send over to the remote party Let us consider the following example for the number table admin MikroTik ip telephony numbers gt print Flags I invalid X disabled DST PATTERN VOICE PORT PREFIX 0 12345 XX 1 1111 YY 2 22 ea ZZ 333 3 QQ 55 admin MikroTik ip telephony numbers gt We will analyze the Number Received nr number dialed at the telephone or received over the line the Voice Port vp voice port to be used for the call and the Number to Call nc number to be called over the Voice Port If nr 55555 it does not
266. ceaeeeeaaeceececeeeeecueessaeeeeaaeceaaeceeeeeeses 90 Point to Point Wireless LAN veces a a e a A aeae Ar Saanaa 91 Cyclades PC300 PCL WC ET 11S EA E E A E E 94 ORUE A AAEE a edie E N ican Geko EEA EA A A A E E E E AAE A 94 Contents or the M a a a Stach co e a 94 Adapter Hardware and Software InstallatiOD oooooncnninnccnnnccnonccononannnnccnnncocnnnconnnnnnno cono nc cnnn conc ccnnnenns 94 Software Packard 94 Software LICenser vcveisiiccrsscacevsnlsdvvssbedeeansadecasdasagesacacsbableacssacsadearsdeseasa cacessackgos sacestseatecdeapesieseasaiaees 95 NARA ON NO 95 Installing the Synchronous Adapter oococnnccnnonocionncononcnonononnncnonnccnnnocnnnnonnnnc cnn nono nn ran na cnnn na nnnccnnncarinos 96 Loading the Driver for the Cyclades PC300 PCI AdapteL oocococccnococononcconnccononononoconnacnnnncnnncccnnnnnos 96 Int rtace CONAM A EE E EE E OTE L E E a ei 96 T ioubleshootin g yipee tioii iieiea A R EE E A E EETA ON 97 RSV V 35 Synchronous Link ApplicationSs sseessseeseeesseeseesseesseesssssssssesstesseesstestesseesseessesseeeseeesees 97 Ethernet Interi attenere a 100 DA A RN 100 Contents of the Mandala A A ia ER Gah cee 100 Ethernet Adapter Hardware and Software InstallatiOD oooonnnccnnnncinnoccnonoconnnccnnnncnnnncnnonocnnoconnnconnnoss 100 Software Packa desmorenar EE E E Dee doGeett ADE de ant cl sida 100 AO Tee BE 10S NN RR ANE AEEA 100 System RESOUICE USage vviscccsscsedeciss ea ee aE Eo e Eneo a ao AEA E EE E
267. ceeeececsececaeceeaaecsececeeeeeceaeeesaecseaaeceeaeceeeeeesas 235 Phe Anitial COMA Ct tardo ara td Wiehe le dod aorta 236 Th Servlets 143 a a ade iys ioe pege sah yasebuaguse sa A a sa a a 236 A RRR a eS a RS a e EE a 236 Address Assia laica ieosisia 237 TO A NO 237 MikroTik HotSpot Gateway Setup eeccccescecsscesseesesneceeeceseeeecseceeaeceeaaeceeaeceeeeecaeeeaeeseaaeceeaeceeeeeesas 237 HotSpot RADIUS Che nt Sempy is ccn 2c cin sas helen ien a eaea iE AR haan dca dees 237 RADIUS ParamMeters oils a A a A as dake 238 Authentication data sent to server Access Requestl cccooonnnconnnoccnnoccconononancnnonaconncccancccnncnonnos 238 Data received from server Access ACCeODt hoccocconooconooccnonononnncnonncnnnnocnnoconononnnnannnn nc cnncccnncnnns 238 Accounting information sent to server Accounting Requesth occonoconnncccnonncnonacinononnnccnoncnonns 239 HotSpot Promles s 8 asceavucdases alioli iii 239 HotSpot Server Settings tiara rai rata sweat seccsBedteadtanattide 240 HotSpot User Databases ui ado avast eed awn ias iii 240 HotS pot COOKIES cia a ee NU as Aes 242 HotSpot Step by Step User Guide ecceecccssccsssscssnecssecesseceessccssnecesaeecsececssecesssccesaecsnaaeseeaesnaeeeuee 242 Planning the Configuratii onneasi teieni oe a EE EEE eves ETE TEE peana 242 Set p Example ai 243 Optional SENS a 244 Customizing the Servlet cian iii eiii 246 Servlet Page DescrIDIOM incidir iaa intacta 246 Vartable
268. ceeeeceeeeecseeeaeceeaceceaceceeeeseeeesaeceeaeeeeneeseaees 385 System Resource Management s ccsccsseccssssecsssdssesnsseoncsstengssasesecssueceonnssbesescotesosecesencsbeceossseess sees seucececeteeseesses 386 OVERVIEW osc NN 386 Contents of the Man tials 5 5 5 cccicse su satas a a ta tai 386 System Resource SR 386 Basic System RESOULCES lt sevsers cave ces cresta din aea a eieae eai iea EA TA eTii 386 System Resource MOMItoring eee eccceececeseceesneeesaeceeaceceaeeceseeeeseceesaeceeaeeeeaeeceeeesaeceeaaeceeaeceeaeeesas 387 TRO atid TO Usage Monitor cieie n aae aeria din Bienscbas ccc cU STENE aE e dai 387 REebootand Shutdown tia doi aiii ae a dia id 387 Configuration Reset econo tdi and sod ria A A A A iaa 388 Router Identity nsere a e aS sab dg E E E ira ini E t o e iaat 388 Dat and Time Settings nd E a aa 388 Configuration Change HIStory serrer alcorcon it ENEE E EEEE lees E E aA 389 System Scheduler Manual ssicciscccccssccssnascostssesssteoscsseeseeaseesassesosnsssccccsscecsbecdeedeessesseensensecesocecsaededeesosseesencsseoen 390 OVERVIEW ii sents yes Sebsaos A EEN Oa RE REESE 390 Contents ofthe Mandala AAA bcs Buea dude va a ea ia 390 A A a RN 390 Hardware Resource Usage cnica ei e a E E E E AEE EE E AEE E ss 390 PETT AGS al AR EE ONO 390 System Scheduler Examples iii edad SEEE EREE EE EEA EEA 391 Tenet Cheni E EET TR 393 OAE aA AEE E I E AEE Ai 393 Contents ofthe Mantal aaee naea e aa sae beet aae a die o a e ea ea
269. cept mark flow Local_Up tcp mss dont chang admin MikroTik ip firewall mangle gt Finally shaping the traffic MikroTik RouterOS V2 6 Reference Manual 331 Queues and Bandwidth Management admin MikroTik queue tree gt add name Server_Up parent Up limit at 32000 max burst 0 bounded no flow Server_Up admin MikroTik queue tree gt add name Local_Up parent Up limit at 0 flow Local_Up admin MikroTik queue tree gt print Flags X disabled I invalid D dynamic 0 name Up parent Public flow limit at 64000 max burst 0 queue default priority 8 weight 1 allot 1514 bounded yes 1 name Server_Up parent Up flow Server_Up limit at 32000 max burst 0 queue default priority 8 weight 1 allot 1514 bounded no 2 name Local_Up parent Up flow Local_Up limit at 0 max burst 0 queue default priority 8 weight 1 allot 1514 bounded yes admin MikroTik queue tree gt Thus we used queue trees for limiting the upload The download speed can be limited the same way simply changing the interface names and matching the packets destinated to the server use external server address if you are using DST NAT Additional Resources Links on Class Based Queuing CBQ http www aciri org floyd cbg html Links on Random Early Detection RED http www aciri org floyd papers red red html More Complete Informatin about Traffic Cotrol http www linuxdoc org HOWTO Adv Routing HOWTO html O Copy
270. ck Typing There are two features in router console that help entering commands much quicker and easier the TAB key completions and abbreviations of command names Completions work similarly to the bash shell in UNIX If you press the Tab key after part of a word console tries to find the command in current context that begins with this word If there s only one match it is automatically appended followed by space character inte TAB _ becomes interface _ MikroTik RouterOS V2 6 Reference Manual 25 Terminal Console Manual Here is the cursor position And TAB is pressed TAB key not TAB character sequence If there s more than one match but they all have a common beginning which is longer than that what you have typed then the word is completed to this common part and no space is appended interface set e TAB _ becomes interface set ether_ because e matches both ether5 and ether1 in this example If you ve typed just the common part pressing the tab key once has no effect However pressing it for the second time shows all possible completions in compact form fadmin MikroTik gt interface set e TAB _ admineMikroTik gt interface set ether TAB _ admineMikroTik gt interface set ether TAB _ e therl ether5 admin MikroTik gt interface set ether The tab key can be used almost in any context where the console might have a clue about possible values command names a
271. cnonnccnnononnnonno cnn EE EESE EN SRS taak 293 Setting up the Welltech IP Telephone iini iea eaa E E E T A ER 294 Setting up the MikroTik Router and CISCO ROUteL cocoooocccnncccnncccnonncnonaconnnononcccnncnnnnnannn nc cono na cnnncnnncn ns 296 TP Traffic ACCOUNTING i iccsessscnsssssesssecdsansessdesssestconsessiesssashsebessoennsgencesncedccaseesecessecosensssbenasendeesseet senss ecssssesdes 299 OVERVIEW irs is ie eles hee Sas eT es A EAE OIE BRR ARC RE a aA ia 299 Installation ie oa Pe E ENEA 299 Hardware Resource Usage isc ccccarssbikcves conhivtzvisdestanedettceode dentate tvaceechsgudieUedwenecacieeidacediaeaute sevnuebedtneesaees 299 Traffic accounting Sloan ino sabes diodo EA EEE ira lane eiii 300 Traffic data d script n ie i Ee ETE TER ndo E eased 300 Threshold Seting recorro annate er E EEE A a AEE EEE EE E E ER 300 Traffic data display and collection cieni enei net eenaa e conan nano aa kietai 301 Traffic data analysis inir A AARE AEAEE EiS 301 Additional RESCUE A aa a a aera iat 302 IP Packet Packer Protocol M3 ss sissssicssscsetiesessteessssteessssstcesssseteesesceosescseesesssasesescesedessecdesscecsessdeseevescseeesss 303 ONUS A TAE NT 303 Contents of the Maa T abou sae E E a in te E E E 303 Installation AEA EEEE EE E A S EE T EAEN 303 Hardware Resqurce Usain aee n e i i e eaa daa iE Eia eie 303 MikroTik Packet Packer Protocol Description eseesseesseeseesseesseeseesseesseessessssssssesseesseesseessesstressee
272. cols ip arp other priority 1 admin Our_GW interface bridge gt port print Flags X disabled INTERFACE BRIDGE 0 eoip remote none 1 office eth none 2 isp none admin Our_GW interface bridge gt port set 0 1 bridge bridgel And the seme for the Remote admin Remote interface bridge gt add forward protocols ip arp other admin Remote interface bridge gt print Flags X disabled R running 0 X name bridgel mtu 1500 arp enabled mac address 00 00 00 00 00 00 forward protocols ip arp other priority 1 admin Remote interface bridge gt port print Flags X disabled INTERFACE BRIDGE 0 ether none 1 adsl none 2 eoip main none admin Remote interface bridge gt port set 0 2 bridge bridgel 4 Addresses from the same network can be used both in the Office LAN and in the Remote LAN Copyright 1999 2003 MikroTik MikroTik RouterOS V2 6 Reference Manual 107 FarSync X 21 Interface Document revision 29 Aug 2002 This document applies to the MikroTik RouterOS v2 6 Overview The MikroTik RouterOS supports FarSync T Series X 21 synchronous adapter hardware For more information about the adapter hardware please see the relevant documentation e http www farsite co uk Contents of the Manual The following topics are covered in this manual e Synchronous Adapter Hardware and Software Installation Software Packages Software License e Synchron
273. come the designated router the one with the higher router priority takes precedence retransmit interval Time between retransmitting lost link state advertisements 3 65535 seconds When a router sends a link state advertisement LSA to its neighbor it keeps the LSA until it receives back the acknowledgment If it receives no acknowledgment in seconds it will retransmit the LSA transmit delay Link state transmit delay 1 65535 seconds is the estimated time it takes to transmit a link state update packet on the interface OSPF Virtual Links Virtual links connect physically separate components of backbone area The two endpoints of a virtual link are area border routers The virtual link must be configured in both routers To add a virtual link use the routing ospf network add command admin MikroTik routing ospf virtual link gt add neighbor id 10 0 0 201 transit area ex admin MikroTik routing ospf virtual link gt print Flags X disabled I invalid NEIGHBOR ID TRANSIT AREA 0 10 0 0 201 ex admin MikroTik routing ospf virtual link gt Argument description neighbor id router id of the neighbour transit area non backbone area the two routers have in common Note that virtual links cannot be established through stub areas OSPF Neighbours To see list of OSPF neighbors for router with brief statistics use routing ospf neighbor print command It also shows the router itself i
274. coming back because SAs are established and data is being encrypted On RouterOS we can see installed SAs admin MikroTik ip ipsec installed sa gt print Flags A AH E ESP P pfs M manual 0 E spi 9437482 direction out src address 10 0 1 1 dst address 10 0 1 2 auth algorithm shal enc algorithm des replay 4 state mature auth key 9cf2123b8b5add950e3e67b9eac79421d406aa09 nc key ffe7ec65b7a385c3 add lifetime 24m 30m use lifetime 0s 0s lifebytes 0 0 current addtime jul 12 2002 16 13 21 current usetime jul 12 2002 16 13 21 current bytes 71896 1 E spi 319317260 direction in src address 10 0 1 2 dst address 10 0 1 1 auth algorithm shal enc algorithm des replay 4 state mature auth key 575f5624914dd312839694db2622a318030bc3b enc key 633593f809c9d6af add lifetime 24m 30m use lifetime 0s 0s lifebytes 0 0 current addtime jul 12 2002 16 13 21 current usetime ju1 12 2002 16 13 21 current bytes 0 MikroTik RouterOS V2 6 Reference Manual 268 IPsec admin MikroTik ip ipsec installed sa gt And on Cisco interface Seriall Crypto map tag mymap local addr 10 0 1 2 local ident addr mask prot port 10 0 2 0 255 255 255 0 0 0 remote ident addr mask prot port 10 0 0 0 255 255 255 0 0 0 current_peer 10 0 1 1 PERMIT flags origin_is_acl pkts encaps 1810 pkts encrypt 1810 pkts digest 1810 pkts decaps 1861 pkts decrypt 1861 pkts verify 1861 pkts compressed 0 pkts decomp
275. conds even on very fast computer It usually takes place once per phase 1 exchange which happens only once between any host pair and then is kept for long time PFS adds this expensive operation also to each phase 2 exchange IKE Traffic To avoid problems with IKE packets hit some SPD rule and require to encrypt it with not yet established SA that this packet perhaps is trying to establish locally originated packets with UDP source port 500 are not processed with SPD The same way packets with UDP destination port 500 that are to be delivered locally are not processed in incoming policy check IPsec Setup admin MikroTik ip ipsec gt policy installed sa manual sa peer pre shared secret proposal counters export admin MikroTik ip ipsec gt Descriptions of settings policy set up security policies installed sa look at currently installed security associations manual sa templates for manual security associations peer IKE peer configuration pre shared secret to authenticate with IKE peers MikroTik RouterOS V2 6 Reference Manual 258 IPsec proposal phase2 IKE proposal settings counters counters To get IPsec to work with automatic keying you will have to configure policy peer pre shared secret and proposal entries For manual keying you will have to configure policy and manual sa entries Policy Settings To define new policy use ip ipsec policy add command admin Mikr
276. d Special Notice for PCMCIA PCI adapter users The IRQ is not being reported back correctly on some MB for POEMCIA PCI adapters As a result the wireless interface appears to be operational but there can be no data transmitted over the wireless link For example when pinging the AP or GW form the router there is no response to the ping although the other end gets the MAC address of the WaveLAN interface of the router To solve this try using another MB or use PCMCIA ISA adapter Loading the Driver for the Wireless Adapter The WaveLAN Orinoco PC PCMCIA cards do not require a manual driver loading since they are recognized automatically by the system and the driver is loaded at the system startup If the driver has loaded successfully there should be two beeps of equal tone which should be heard through the PC s speaker while the system startup If the second beep has a lower tone than the first one then the driver could not be loaded or there is no wavelan package installed Note The PC card can be inserted in the PCMCIA ISA or PCI adapter when the system is running The wavelan driver is not listed under the list of loaded drivers There can be several reasons for a failure to load the driver e The driver cannot be loaded because other device uses the requested IRQ Try to set different IRQ to other devices e The requested I O base address cannot be used on your motherboard Change the motherboard Wireless Interfac
277. d a PPP client using the add command admin MikroTik interface ppp client gt add creates new item with specified property values add default rout Add PPP remote address as a default route copy from item number dial on demand Enable Disable dial on demand disabled modem init odem init string mru aximum Receive Unit mtu aximum Transfer Unit nam w interface nam null modem Enable Disable nullmodem mode password MikroTik RouterOS V2 6 Reference Manual 157 Point to Point Protocol PPP and Asynchronous Interfaces phone Phone number for dialout port Serial port profile tone dial Enable Disable tone dial use peer dns Enable Disable using of peer DNS user User name to use for dialout admin MikroTik interface ppp client gt add name test user test port setiall Y add default route yes admin MikroTik interface ppp client gt print Flags X disabled R running 0 X name test mtu 1500 mru 1500 port seriall user test password profile default phone tone dial yes modem init null modem no dial on demand no add default route yes use peer dns no admin MikroTik interface ppp client gt enable 0 admin MikroTik interface ppp client gt monitor test2 uptime Os encoding status Logging in to network admin MikroTik interface ppp client gt Descriptions of settings name new interface name port serial port user P2P user name on t
278. d ah key auth keyl ah spi 0x101 0x100 ip ipsec policy add src address 10 1 0 0 24 dst address 10 2 0 0 24 action encrypt ipsec protocols ah tunnel yes sa src 1P 1 0 0 1 sa dst 1 0 0 2 manual sa ah sal And for Router 2 ip ipsec key add key algorithm shal length 160 key 0000000000000000000000000000000000000000 lp ipsec manual sa add ah key auth keyl ip ipsec policy add src address 10 2 0 0 24 dst address 10 1 0 0 24 X action encrypt ipsec protocols ah tunnel yes sa src 1P 1 0 0 2 sa dst 1 0 0 1 N manual sa ah sal IPsec Setup for Routing Between two Masquerading MikroTik Routers 1 0 0 0 24 10 1 0 0 24 10 2 0 0 24 On Router1 e Add accept and masquerading rules in SRC NAT ip firewall src nat add src address 10 1 0 0 24 dst address 10 2 0 0 24 ip firewall src nat add out interface public action masq e Configure IPsec ip ipsec policy add src address 10 1 0 0 24 dst address 10 2 0 0 24 action encrypt tunnel yes sa src address 1 0 0 1 sa dst address 1 0 0 2 ip ipsec peer add address 1 0 0 2 exchange mode aggressiv ip ipsec pre shared secret add address 1 0 0 2 secret sviestapika On Router2 MikroTik RouterOS V2 6 Reference Manual 266 IPsec e Add accept and masquerading rules in SRC NAT ip firewall src nat add src address 10 2 0 0 24 dst address 10 1 0 0 24 ip firewall src nat add out interface public action masq e Configure Psec ip ip
279. d argument if present You can supply description for new item using comment argument if present admin MikroTik ip route gt set 0 comment our default gateway admin MikroTik ip route gt set 1 comment wireless network gateway admin MikroTik ip route gt print Flags X disabled I invalid D dynamic J rejected C connect S static R rip O ospf B bgp DST ADDRESS G GATEWAY DISTANCE INTERFACE 0 S our default gateway 0 0 0 0 0 Po LOO O81 ili ether6 1 S wireless network gateway 10 100 0 0 16 r 10 0 0 254 il ether6 2 DC 192 168 1 0 24 00 00 00 0 ether4 3 DC 10 10 10 0 24 r 0 0 0 0 0 prisml admin MikroTik ip route gt move If the order of items is relevant command level will also contain move command First argument is a list of items whose order will be changed second argument specifies item before which to place all items being moved they are placed at the end of the list if second argument is not given Item numbers after move command are left in a consistent but hardly intuitive order so it s better to resync by using print after each move command MikroTik RouterOS V2 6 Reference Manual 29 Terminal Console Manual admin MikroTik ip firewall mangle gt print brief Flags X disabled I invalid D dynamic SRC ADDRESS DST ADDRESS 0 0 0 0 0 0 80 0 0 0 0 0 0 65535 1 1 1 1 1 32 80 0 0 0 0 0 0 65535 2 2 2 2 2 32 80 0 0 0 0 0 0 65535 3 3d 3132
280. d automatically Note the dynamic default route will not be added if there is already a default route set dial on demand Connects to AC only when outbound traffic is generated and disconnects when there is no traffic for the period set in the idle timeout value use peer dns Sets the router default DNS to the PPP peer DNS MikroTik RouterOS V2 6 Reference Manual 161 Point to Point Protocol over Ethernet PPPoE PPPOE Server Setup Access Concentrator The PPPoE server access concentrator supports multiple servers for each interface with differing service names Currently the throughput of the PPPoE server has been tested to 160Mb s on a Celeron 600 CPU Using higher speed CPUs should increase the throughput proportionately The setting below is the optimal setting to work with Windows clients such as RASPPPoE client for all versions of Windows greater than 3 x The password authentication and encryption are set to authentication chap specifically to ensure a quick login by the windows client In the example below the login is encrypted with PAP The access concentrator has a hard limit of 5000 current connections The user setting for the connections limit is done by setting the IP pools in the remote address configuration The access concentrator name and PPPoE service name are used by clients to identify the access concentrator to register with The access concentrator name is the same as the identity of the rout
281. d configure it in the following way admineMikroTik interface isdn server gt add msn 7542159 authentication chap pap bundle 128K no admin MikroTik interface isdn server gt print Flags X disabled 0 X name isdn inl mtu 1500 mru 1500 msn 7542159 authentication chap pap profile default 12 protocol x75bui bundle 128K no Configure PPP settings and adding a user to routers database admin MikroTik ppp profile gt print Flags default 0 name default local address 0 0 0 0 remote address 0 0 0 0 session timeout 0s idle timeout 0s use compression no use vj compression yes us ncryption no require encyrption no only one no tx bit rate 0 rx bit rate 0 incoming filter outgoing filter admin Mikrotik ppp profile gt set default idle timeout 5s local address 10 99 8 1 remote address 10 9 88 1 Add user john to the router user database Assuming that the password is 31337 admin MikroTik ppp secret gt add name john password 31337 service isdn admin MikroTik ppp secret gt print admin ISDN ppp secret gt print Flags X disabled NAME SERVICE CALLER ID PASSWORD PROFIL 0 john isdn 31337 defaul admin MikroTik ppp secret gt FIA Check the status of the ISDN server interface and wait for the call admineMikroTik interface isdn server gt monitor isdn inl status Waiting for call ISDN Backup Backup systems are used in
282. d in the system package No installation is needed for this feature Hardware Resource Usage There is no significant resource usage Ping Description Ping utility shows Time To Live value of the received packet ttl and Roundtrip time time in ms The console Ping session may be stopped when the Ctrl C is pressed admin MikroTik gt ping Send ICMP Echo packets Repeat after given time interval lt address gt count Number of packets do not fragment interval Delay between messages size Packet size ttl admin MikroTik gt ping Descriptions of arguments address IP address for the host you want to ping size Size of the IP packet in bytes including the IP and ICMP headers Can be 36 4096 do not fragment if added packets will not be fragmented interval Delay between messages in seconds Can be 10ms 5s Default is 1 second count How many time ICMP packets will be sent If not specified ping continues till CTRL C is pressed ttl Time To Live TTL value of ICMP packet Can be 1 255 MikroTik RouterOS V2 6 Reference Manual 410 Ping Examples gt ping 159 148 60 admin MikroTik 159 148 60 2 64 byte pong 159 148 60 2 64 byte pong 159 148 60 2 64 byte pong 159 148 60 2 pong timeout 159 148 60 2 64 byte pong 5 packets transmitted round trip min avg max admin MikroTik gt tt1 247 tt1 247 tt1 247 tt1 247 Ping 2 count time 32 time 30
283. d to enable the LCD For Powertip parallel port LCDs admin MikroTik system lcd gt print enabled no type powertip admin MikroTik system lcd gt set enabled yes admin MikroTik system lcd gt print enabled yes type powertip admin MikroTik system lcd gt For Crystalfontz serial LCDs admin MikroTik system lcd gt set type crystalfontz ERROR can t acquire requested port already used admin MikroTik system lcd gt set type crystalfontz serial port seriall admin MikroTik system lcd gt port print NAME USED BY BAUD RATE 0 serial0 Serial Console 9600 1 seriall LCP Panel 9600 admineMikroTik system lcd gt print enabled yes type crystalfontz serial port seriall admin MikroTik system lcd gt Note as You see the first try to set LCD type failed because it wanted to use serial0 that is commonly used for Serial Console by default Argument description enabled turns the LCD on or off type sets the type of the LCD powertip crystalfontz serial port name of the port where the LCD is connected LCD Information Display Configuration The system Icd page menu is used for configuring the LCD information display Use the system Icd page print command to see the configuration of the information display Example output of the print command admin MikroTik system lcd page gt print Flags X disabled DISPLAY TIME DESCRIPTION 0 X 5s System
284. de should be added to the firewall configuration admin MikroTik ip firewall src nat gt add action masquerade out interface Public admin MikroTik ip firewall src nat gt print Flags X disabled I invalid 0 src address 0 0 0 0 0 0 65535 dst address 0 0 0 0 0 0 65535 out interface Public protocol all icmp options any any flow limit count 0 limit burst 0 limit time 0s action masquerade to src address 0 0 0 0 to src port 0 65535 admineMikroTik ip firewall src nat gt All outgoing connections from the network 192 168 0 0 24 will have source address 10 0 0 217 of the router and source port above 1024 No access from the Internet will be possible to the Local addresses If you want to allow connections to the server on the local network you should use Static Network Address Translation NAT Example of Destination NAT Assume you need to configure the MikroTik router for the following network setup where the server is located in the private network area Internet Internet Erre Gatewa Public Network 10 0 0 10 0 0 0 24 MikroTik interface Public Router address 10 0 0 217 24 interface Local address 192 168 0 254 24 Local Network 192 168 0 0 24 Workstation an Server 192 168 0 1 192 168 0 2 192 168 0 4 The server s address is 192 168 0 4 and we are running web server on it that listens to the TCP port 80 We want to make it accessible from the Internet at address port 10 0 0 217 80 This can be done b
285. direction and Destination NAT ccccccccncnnnonononincnoncncncnnanananananana eane E e EE EE E eaka 225 Understanding REDIRECT and MASQUERADE coooooccoccccocccooonononncconononnnnnonnnconnc cnn conan ccnnncnnnnnos 225 Connection Tracking eoira ER KEE aE EEEE Ea AE EEEE S Aaa ANLE EEEE TEET OSET Ea ies 225 Troubleshooting aid deel eda ate ae ee ea 226 Additional RESOUTCES vectra a A A AA wesee ine t ita da 226 IP Firewall Applications orit ekee eE ESEE E EEE Leia Odia 226 Basic Firewall Building Principles eecceecccescceesseessseceecceeeececsseceeseceeaaeceececeeneecaeeesaecseaaecseaeceeneeesas 227 Example of Firewall Filters coi E atada aba 227 Protecting the Roller usina lalala eiii 228 Protecting the Customer s NetWOlTK ooooooononnnnnocccnoncconononnnccnonocnnn conan nc cnno conc nrnnnn anar a cnnn nana n conan craneo 229 Enforcing the Internet POliCy ieri oea ES OKE AOA ao nda diana inside siria 231 Example of Source NAT Masquerading eccccecscecenceceeeceeseeesaeceeaceseneeceaeeeeaeceeaaeceeaeeeeaeeenaees 231 Example of Destination NAT o oarn ta iee i e E E E E EE aa Ea EE E E a i aie 232 SS A EE E E E E EE E EREE E E nesseasoscseess 234 ODL TA Ch E AE TT 234 Contents Of the Mati saara aaee aa aae aaee aaeeea ERE REEE A EEEE EEEE E E EE E aE 234 A O EPONA E E SEEE A EE 235 LOKATA BL E E E E EA E E EE E A EEE 235 Hardware Resource Usage ii iii 235 How MikroTik HotSpot Gateway WolTKS ccceccseessecsen
286. disabled 0 name backbone area id 0 0 0 0 default cost 0 stub no authentication none oOo n dl name local_10 area id 0 0 0 1 default cost 0 stub no authentication none admin OSPF peer 1 gt routing ospf network print Flags X disabled NETWORK AREA 0 10 3 0 0 24 local_10 il 10 1 0 0 24 local_10 admin OSPF peer 1 gt MikroTik RouterOS V2 6 Reference Manual 341 Open Shortest Path First OSPF Routing Protocol OSPF peer 2 Router Setup The IP address configuration of the OSPF peer 2 router is as follows admin OSPF peer 2 gt ip address print Flags X disabled I invalid D dynamic ADDRESS NETWORK BROADCAST INTERFACE 0 10 2 0 1 24 10 2 0 0 10 2 0 255 main 1 10 3 0 2 24 10 3 0 0 10 3032595 to peer1 admin OSPF peer 2 gt OSPF settings admin OSPF peer 2 gt routing ospf print router id 0 0 0 0 distribute default never redistribute connected as type 1 redistribute static no redistribute rip no redistribute bgp no metric default metric connected metric static metric rip metric bgp 0 admin OSPF peer 2 gt routing ospf area print Flags X disabled 0 name backbone area id 0 0 0 0 default cost 0 stub no authentication none Ooorp 1 name local_10 area id 0 0 0 1 default cost 0 stub no authentication none admin OSPF peer 2 gt routing ospf network print Flags X disabled NETWORK AREA 0 10 2 0 0 24 local_10 1 10 3
287. dress Destination IP address Can be in the form address mask where mask is number of nonzero bits in the subnet mask e g 10 0 0 204 32 in interface interface the packet has entered the bridge through may be all mac dst address MAC address of destination host mac protocol Either all or the MAC protocol number of the packet Most widely used MAC protocol numbers are 2048 for IP 2054 for ARP 32821 for RARP 32823 for IPX 32923 for AppleTalk EtherTalk 33011 for AppleTalk Address Resolution Protocol AARP 33169 for NetBEUI 34525 for IPv6 mac src address MAC address of source host out interface interface the packet is leaving the bridge through may be all protocol Protocol all egp ggp icmp igmp ip encap ip sec tcp udp src address Source IP address Can be in the form address mask where mask is number of bits in the subnet e g 10 0 0 201 32 If the packet matches the criteria of the rule then the performed action can be e accept Accept the packet No action 1 e the packet is passed through without undertaking any action and no more rules are processed e drop Silently drop the packet without sending the ICMP reject message e passthrough ignore this rule Acts the same way as a disabled rule except for ability to count packets Note that packets between bridged interfaces are also passed through the normal ip firewall rules it even can be NATted
288. dress is added then instead of dynamic entry registered will appear Dynamic entries disappear when corresponding endpoint unregisters itself from this gatekeeper Registered entries are static and will stay even after that endpoint will be unregistered from this gatekeeper Registered telephone numbers are added to ip telephony numbers table Here is exactly the same idea behind dynamic and registered telephone numbers as it is with voip voice ports When endpoint registers to gatekeeper it sends its own telephone numbers aliases and prefixes within this registration request ip telephony numbers entry is registered to endpoint only if voice port for that entry is local not voip If dst pattern contains or _ it is sent as prefix otherwise as alias As prefix is sent the known part of the dst pattern If there is no known part dst pattern is _ or for example then this entry is not sent at all So for example if numbers table is like this admin MikroTik ip telephony numbers gt print Flags I invalid X disabled D dynamic R registered DST PATTERN VOICE PORT PREFIX 0 Tes phonejackl 1 128 voipl 128 2 78 voip2 78 3 77 phonejackl 4 76 phonejackl 55 5 voipl then entries 0 3 and 4 will be sent others are voip voice ports and are ignored Entry 0 will be sent as prefix 1 entry 3 as alias 77 entry 4 as alias 76 If IP address of local endpoint is 10 0 0 100
289. dst can be processed by this policy Transport mode can only work with packets that originate at and are destined for IPsec peers hosts that established security associations To encrypt traffic between networks or network and host you have to use tunnel mode ipsec protocols One of ah esp ah esp Specifies what combination of Authentication Header and Encapsulating Security Payload protocols you want to apply to matched traffic AH is applied after ESP and in case of tunnel mode ESP will be applied in tunnel mode and AH in transport mode level What to do if some of the SAs for this policy cannot be found 4 use skip this transform don t drop packet don t acquire SA from IKE daemon acquire skip this transform but acquire SA for it from IKE daemon 4 require drop packet acquire SA sa src address SA source sa dst address SA destination manual sa Name of manual sa template that will be used to create SAs for this policy or none if you don t want to set up any manual keys proposal Name of proposal info that will be sent by IKE daemon to establish SAs for MikroTik RouterOS V2 6 Reference Manual 259 IPsec this policy If you are using IKE to establish SAs automatically then policies on both routers must be exactly matching i e src address 1 2 3 0 27 on one router and dst address 1 2 3 0 28 on another won t work sre values on one router MUST be equal to dst values on the o
290. e Document revision 29 Nov 2002 This document applies to the MikroTik RouterOS V2 6 Overview The SSH feature can be used with various SSH Telnet clients to securely connect to and administrate the router The MikroTik RouterOS supports e SSH 1 3 1 5 and 2 0 protocol standards e server functions for secure administration of the router e telnet session termination with 40 bit RSA SSH encryption is supported e secure ftp is not supported e Winbox connection encryption TSL The MikroTik RouterOS has been tested with the following SSH telnet terminals e PuTTY e Secure CRT e Most SSH compatible telnet clients Contents of the Manual The following topics are covered in this manual e Installation e Hardware Resource Usage e Suggested Windows Client Setup e Suggested UNIX Linux Client Setup e Additional Resources Links for Windows Client Other links Installation The ssh 2 6 x npk less than 1MB package for installation of SSH is required The package can be downloaded from MikroTik s web page www mikrotik com To install the package please upload it to the router with ftp and reboot No additional settings are required You may check to see if the SSH package is installed with the command system package print Hardware Resource Usage The uncompressed package will use approximately 1MB of additional Flash HD IDE memory A minimum amount of additional RAM is used No hardware upgrades are required
291. e code The line code For T1 E1 channels only AMI B8ZS HDB3 NRZ e framing mode The frame mode For T1 E1 channels only CRC4 D4 ESF Non CRC4 Unframed e line build out LBO For T1 channels only 0dB 15dB 22 5dB 7 5dB e rx sensitivity The receiver sensitivity For T1 E1 channels only long haul short haul e frame relay Imi type Type of frame relay Local Management Interface ansi ccitt e frame relay dce Determine whether the interface will be a DCE or DTE yes no e chdlc keepalive CHDLC keepalive period in seconds MOXA C101 interface admin MikroTik gt interface synchronous print Flags X disabled R running O R name sync1 mtu 1500 line protocol sync ppp clock rate 64000 clock source external frame relay lmi type ansi frame relay dce no cisco hdlc keepalive interval 10s ignore dcd no fadmin MikroTik gt Argument description e name Assigned name of the interface e mtu Maximum Transfer Unit of an interface e line protocol Type of data transfer protocol cisco hdlc frame relay sync ppp e clock rate Speed of the clock e clock source The clock source external internal tx from rx tx internal e frame relay Imi type Type of frame relay Local Management Interface ansi ccitt e frame relay dce Determine whether the interface will be a DCE or DTE yes no e cisco hdlc keepalive interval
292. e Configuration If the driver has been loaded successfully no error messages and you have the required 2 4GHz Wireless Software License then the WaveLAN ORiNOCO 2 4GHz Wireless interface should appear under the interfaces list with the name wavelanX where X is 1 2 You can change the interface name to a more descriptive one using the set command To enable the interface use the enable command admin MikroTik interface gt print Flags X disabled D dynamic R running NAME TYPE MTU MikroTik RouterOS V2 6 Reference Manual 203 WaveLAN ORiINOCO 2 4GHz 11Mbps Wireless Interface O R Public 1500 ether 1 R Local 1500 ether 2 X wavelanl 1500 wavelan MikroTik interface gt enable 2 admin MikroTik interface gt print Flags X disabled D dynamic R running NAME TYPE MTU O R Public 1500 ether 1 R Local 1500 ether 2 R wavelanl 1500 wavelan admineMikroTik interface gt More configuration and statistics parameters can be found under the interface wavelan menu admin MikroTik interface gt wavelan admin MikroTik interface wavelan gt print Flags X disabled R running O R name wavelan1 mtu 1500 mac address 00 02 2D 07 D8 44 arp enabled frequency 2412MHz data rate 11Mbit s mode ad hoc ssid client name keyl key2 key3 key4 tx key keyl encryption no fadmin MikroTik interface wavelan gt Argument description number Interface number in the list
293. e ISP s network with address 10 0 0 0 and 24 bit netmask 255 255 255 0 The router s address is 10 0 0 217 in this network The addresses can be added and viewed using the following commands admin MikroTik ip address gt add address 192 168 0 254 24 interface Local admin MikroTik ip address gt add address 10 0 0 217 24 interface Public admin MikroTik ip address gt print Flags X disabled I invalid D dynamic ADDRESS NETWORK BROADCAST INTERFACE 0 10 0 0 217 24 10 04 0217 10 20 0 255 Public il 192 168 0 254 24 192 168 0 0 192 168 0 255 Local admin MikroTik ip address gt MikroTik RouterOS V2 6 Reference Manual 17 Configuring Basic Functions Here the network mask has been specified in the value of the address argument Alternatively the argument netmask could have been used with the value 255 255 255 0 The network and broadcast addresses were not specified in the input since they could be calculated automatically Configuring the Default Route You can see two dynamic D and connected C routes which have been added automatically when the addresses were added admin MikroTik ip route gt print Flags X disabled I invalid D dynamic J rejected connect S static R rip O ospf B bgp DST ADDRESS G GATEWAY DISTANCE INTERFACE O DC 192 168 0 0 24 1 0 000 0 0 Local 1 DC 10 0 0 0 24 r 0 0 0 0 0 Public admin MikroTik ip route gt p
294. e MikroTik IP telephone and one Welltech LAN Phone 101 setup Ext 31 Le PSTN K robert VWelltech i i IP Telephone 10 5 8 2 Ext 33 HE Ext 13 E finejack 1 Joe voip_ ga ME 10 0 0 224 10 1 1 12 Ext 11 Setting up the MikroTik IP Telephone The QuickNet LineJACK or PhoneJACK card and the MikroTik RouterOS telephony package should be installed in the MikroTik router IP telephone 10 0 0 22 An analog telephone should be connected to the phone port of the QuickNet card If you pick up the handset a dialtone should be heard The basic telephony configuration should be as follows 1 Add a voip voice port to the ip telephony voice port voip for each of the devices you want to call or want to receive calls from 1 e the IP telephony gateway 10 1 1 12 and the Welltech IP telephone 10 5 8 2 admin Joe ip telephony voice port voip gt add name gw remote address 10 1 1 12 admin Joe ip telephony voice port voip gt add name robert remote address 10 5 8 2 admin Joe ip telephony voice port voip gt print Flags X disabled D dynamic R registered NAME AUTODIAL REMOTE ADDRESS JITTER BUFFER PREFERED CODEC SIL FAS 0 gw TO Le L L2 100ms none no yes 1 robert 10 08 aA 100ms none no yes admin Joe ip telephony voice port voip gt You should have three vioce ports now admin Joe ip telephony voice port gt print Flags X disabled NAME TYPE AUTO
295. e Set Identifier actually the MAC address of the access point signal quality the signal quality 0 92 signal level the average signal level 27 154 noise level the average noise level 100 0 The monitor command does not work if the interface is disabled or the mode is ap bridge or bridge Access Point Mode Configuration To set the wireless interface for working as an IEEE 802 11b access point register clients you need both the 2 4GHz Wireless Feature License and the Prism AP Feature Licenses You should set the following parameters e The Service Set Identifier It should be unique for your system e The Operation Mode of the card should be set to ap bridge or bridge In bridge mode only one client can be registered e The Frequency of the card All other parameters can be left as default However you should make sure that all clients support the basic rate of your access point i e the supported rates of the client should cove the basic rates of the access point To configure the wireless interface for working as an access point with ssid testing and use the frequency 2442MHz it is enough to enter the command admin MikroTik interface prism gt set prisml mode ap bridge frequency 2442 ssid testing admin MikroTik interface prism gt print Flags X disabled R running MikroTik RouterOS V2 6 Reference Manual 179 Prismll Wireless Client and Wireless Access Point Manual
296. e Software Packages eecccescccesecesssesessecesaeeeeececeseeeeaeceeaaeceeaecseneeceaeeeaecseaaecseaeceeaeeeeaees 51 System Software Package arrr ane a TEE AE EE EEO nana mises 51 Additional Software Feature PackagesS ooooooncccononicnonccnonncnnnccnoncnonnn nono no nnnnc cono nonnnn ron na anar nc cnn cana ncnninos 52 Software Package Resource Usage iranere oiii i E a EEA EE E E E E e e 54 Tr bleshoo hg nati is ri A a EEE E bas cites E E E E EEEE AO a 55 HardWare nana id att N E EN N Lada 56 Basic Network PA O tdi 56 TCP IP protocol SUlte iii lia idad becteeahcadesbecdenns teensy 56 Special Protocol Scotland tro AA R a ae isis 56 Caching Features a 57 ACTA SEP ALI OT 353 oi oc ehden stake A as AoA ROSEN EES 57 GESTS RO NON 57 SCD TT TT E O E EA DEA AAA ars bak E at 57 Wireless Interface iso iaa 57 SVNCHONOUS 2 4 5 EN 57 Asvnchronous Mterkaces sccsishskesbadchesislsscets taceestlsdaues casadsbenleaestensacetuleccetnes adeeb E EEE EEEE OS 58 ethernet ntentaces AR EE TEE TE E E at e Ea 58 JRI BIN Be N a E it A EE N EE 58 VolP A a LAAS E E EE EEEE E E E A OCIS 58 MikroTik RouterOS V2 6 Reference Manual ii MikroTik RouterOS V2 6 Reference Manual Table of Contents Software Package Installation and Upgrading XD SE AMES A A RR PS dt dada adC Uo LOzos 58 HomePNA Interfaces atlas 59 MikroTik RouterOS V2 6 Specifications Sh t ooommmocssocsinccorncornsorocirnccccoccconoconoococnccococccono conse cooroccnnnos
297. e as follows admin MikroTik gt ip address print Flags X disabled I invalid D dynamic ADDRESS NETWORK BROADCAST INTERFACE 0 10 0 0 217 24 10 0 0 217 10 00 2959 Public 1 192 168 0 254 24 192 168 0 0 192 168 0 255 Local admin MikroTik gt ip route print Flags X disabled I invalid D dynamic J rejected C connect S static R rip O ospf B bgp DST ADDRESS G GATEWAY DISTANCE INTERFACE 0 S 0 0 0 0 0 E LOS 0 L 1 Public 1 DC 192 168 0 0 24 r 0 0 0 0 0 Local 2 DC 10 0 0 0 24 r 0 0 0 0 0 Public fadmin MikroTik gt Protecting the Router To protect the router from unauthorized access we should filter out all packets with the destination addresses of the router and accept only what is allowed Since all packets with destination to the router s address are processed against the input chain we can add the following rules to it input gt add protocol tcp tcp option non syn only comment Allow established TCP connections input gt add protocol udp comment Allow UDP connections input gt add protocol icmp comment Allow ICMP messages input gt add src addr 10 5 8 0 24 trusted network 10 5 8 0 24 of ours input gt add action reject log yes erything else input gt print admin MikroTik gt ip firewall rule input admin MikroTik ip firewall rule connection state established admin MikroTik ip firewall rule
298. e etherl address 192 168 0 254 24 LAN 192 168 0 0 24 The interface should be enabled according to the instructions given above The IP addresses assigned to the synchronous interface should be as follows admin MikroTik ip address gt add address 1 1 1 1 32 interface farsyncl network 1 1 1 2 broadcast 255 255 255 255 admin MikroTik ip address gt print Flags X disabled I invalid D dynamic ADDRESS NETWORK BROADCAST INTERFACE 0 10 0 0 254 24 10 0 0 254 10 0 0 255 ether2 il 192 168 0 254 24 192 168 0 254 192 168 0 255 etherl 2 Llar Le Lo L Z 255 255 255 255 farsyncl admin MikroTik ip address gt ping 1 1 1 2 1 1 1 2 64 byte pong tt1l 255 time 31 ms 1 1 1 2 64 byte pong tt1l 255 time 26 ms 1 1 1 2 64 byte pong tt1l 255 time 26 ms 3 packets transmitted 3 packets received 0 packet loss round trip min avg max 26 27 6 31 ms admin MikroTik ip address gt Note that for the point to point link the network mask is set to 32 bits the argument network is set to the IP address of the other end and the broadcast address is set to 255 255 255 255 The default route should be set to the gateway router 1 1 1 2 MikroTik RouterOS V2 6 Reference Manual 111 Synchronous Link Applications admin MikroTik ip route gt add gateway 1 1 1 2 admin MikroTik ip route gt print Flags X disabled I invalid D dynamic J rejected connect S static R rip O os
299. e io print PORT RANGE OWNER 20 3F APIC 40 5F timer 60 6F keyboard 80 8F DMA AO BF APIC CO DF DMA FO FF FPU 1F0 1F7 IDE 1 3C0 3DF VGA 3F6 3F6 IDE 1 CF8 CFF PCI conf1 1000 100F Silicon Integrated Systems SiS 5513 IDE 1000 1007 IDE 1 1008 100F IDE 2 6000 60FF Realtek Semiconductor Co Ltd RTL 8139 6000 60FF 8139to0 6100 61FF Realtek Semiconductor Co Ltd RTL 8139 2 6100 61FF 8139to0 MikroTik RouterOS V2 6 Reference Manual 86 CISCO Aironet 2 4GHz 11Mbps Wireless Interface admin MikroTik gt Installing the Wireless Adapter These installation instructions apply to non Plug and Play ISA cards If You have a Plug and Play compliant system AND PnP OS Installed option in system BIOS is set to Yes AND you have a Plug and Play compliant ISA or PCI card using PCMCIA card with Plug and Play compliant adapter the driver should be loaded automatically If it is not these instructions may also apply to your system The basic installation steps of the wireless adapter should be as follows 1 Check the system BIOS settings for peripheral devices like Parallel or Serial communication ports Disable them if you plan to use IRQ s assigned to them by the BIOS 2 Set the DIP switches on the ISA board according to the following plan DIP switch 6 to on non PnP mode Use the DIP switches 1 2 3 to select the IRQ number Use the DIP switches 4 5 to select the I O Base Address Please note that not
300. e nam Parameter description name interface name arp Address Resolution Protocol one of the disabled the interface will not use ARP protocol enabled the interface will use ARP protocol proxy arp the interface will be an ARP proxy see corresponding manual MikroTik RouterOS V2 6 Reference Manual 102 Ethernet Interfaces 4 reply only the interface will only reply to the requests originated to its own IP addresses but neighbour MAC addresses will be gathered from ip arp statically set table only mtu Maximum Transmit Unit Default value is 1500 bytes disable running check for broken ethernet cards it is good to disable running status checking as default For some Ethernet NICs it is possible to monitor the Ethernet status admin MikroTik interfac thernet gt monitor ether2 status link ok auto negotiation done rate 100Mbps full duplex yes admineMikroTik interfac thernet gt monitor ether3 status no link auto negotiation incomplete admineMikroTik interfac thernet gt monitor etherl status unknown admineMikroTik interfac thernet gt Please see the IP Address manual on how to add IP addresses to the interfaces O Copyright 1999 2002 MikroTik MikroTik RouterOS V2 6 Reference Manual 103 Ethernet over IP EoIP Tunnel Interface Document revision 21 Jan 2003 This document applies to the MikroTik RouterOS V2 6 Overview
301. e order in which they re given Output can be formatted either as a table with one item per line or as a list with property value pairs for each item By default print uses one of these forms but it can be set explicitly with brief and detail arguments In brief table form column argument can be set to a list of property names that should be shown in the table admineMikroTik interfac thernet gt print Flags X disabled R running NAME TU MAC ADDRESS ARP O R etherl 1460 00 50 08 00 00 F5 enabled 1 R ether2 1460 00 50 08 00 00 F6 enabled admin MikroTik interfac thernet gt print detail Flags X disabled R running O R name ether1 mtu 1460 mac address 00 50 08 00 00 F5 arp enabled disable running check yes 1 R name ether2 mtu 1460 mac address 00 50 08 00 00 F6 arp enabled disable running check yes admineMikroTik interfac thernet gt print brief column mtu arp Flags X disabled R running MTU ARP O R 1460 enabled 1 R 1460 enabled admin MikroTik interfac thernet gt print Rules that do some accounting for example ip firewall or queue rules may have two additional views of packets and of bytes matched these rules admin MikroTik ip firewall rule forward gt print packets Flags X disabled I invalid SRC ADDRESS DST ADDRESS PACKETS 0 0 0 0 0 0 0 65535 0 0 0 0 0 0 65535 0 admin MikroTik ip firewall rule forward gt print bytes Flags X disabled I invalid SRC ADDR
302. e traffic exceeds the threshold 1 e goes from being less than threshold to being more than threshold value below triggers script in the opposite condition when traffic drops under the threshold always triggers script on both above and below conditions Traffic Monitor Examples The example monitor enables the interface ether2 if the received traffic exceeds 15kbps on etherl and disables the interface ether2 if the received traffic falls below 12kbps on ether1 system script gt add name eth up source interfac admin MikroTik admin MikroTik admin MikroTik system script gt tool traffic monitor admin MikroTik X on event admin Mi on event admin MikroTik tool traffic monitor gt print Flags X disabled I invalid NAME INTERFACE TRAFFIC 0 turn_on etherl received 1 turn_off etherl received admineMikroTik tool traffic monitor gt TRIGGER THRESHOLD above 15000 below 12000 nabl ther2 system script gt add name eth down source interface disable ether2 tool traffic monitor gt add name turn_on interface etherl eth up threshold 15000 trigger above traffic received kroTik tool traffic monitor gt add name turn_off interface etherl eth down threshold 12000 trigger below traffic received ON EVENT eth up eth down Copyright 1999 2002 MikroTik MikroTik RouterOS V2 6 Reference Manual 415 SNMP Service Document revis
303. e viewed using the routing rip route print command admin MikroTik routing rip route gt print Flags S static R rip O ospf C connect B bgp 0 O dst address 0 0 0 0 32 gateway 10 7 1 254 metric 1 from 0 0 0 0 33 R dst address 159 148 10 104 29 gateway 10 6 1 1 metric 2 from 10 6 1 1 34 R dst address 159 148 10 112 28 gateway 10 6 1 1 metric 2 from 10 6 1 1 admin MikroTik routing rip route gt Printout description dst address destination network address and netmask gateway last gateway to destination address metric distance vector length to the network from from which router this route was received Additional Resources Links for RIP documentation e http www ietf org rfc rfc1058 txt e http www ietf org rfc rfc2453 txt e Cisco Systems RIP protocol overview RIP Examples Let us consider an example of routing information exchange between MikroTik router a Cisco router and the ISP also mikrotik routers MikroTik RouterOS V2 6 Reference Manual 356 Routing Information Protocol RIP Serial 1 192 168 1 2 32 ISP 192 168 1 1 30 ne Cisco Mei Internet Ethernet0 10 0 0 26 24 Local 10 0 0 0 24 ether1 e 10 0 0 174 24 Remote MikroTik 192 168 0 0 24 ether2 92 168 0 1 24 The Configuration of the MikroTik Router The configuration of the MikroTik router is as follows admin MikroTik gt interface prin
304. ea area id area ID must be in IP address notation Cannot be changed for the backbone area default cost Cost for the default summary route used for a stub area Only for area boundary router stub yes no Sets the area type authentication md5 none simple authentication method for OSPF none no authentication simple clear text authentication md5 Keyed Message Digest 5 MD5 authentication OSPF Network To start the OSPF protocol you have to define the networks on which OSPF runs and the area ID for those networks Use the routing ospf network add command admin MikroTik routing ospf network gt add area backbone network 10 10 1 0 24 admin MikroTik routing ospf network gt print Flags X disabled NETWORK AREA 0 10 10 1 0 24 backbone admineMikroTik routing ospf gt Argument description area Area to be associated with the address range network the network address mask that is associated with the area The network argument allows defining one or multiple interfaces to be associated with a specific OSPF area Only directly connected networks of the router may be specified Note that for P2P links here you should set exactly the same as the network address is that is remote point IP address In this case the correct netmask bits should be 32 OSPF Interfaces To run OSPF you don t have to configure interfaces routing ospf interface command level is only
305. eb page www mikrotik com To install the package please upload it to the router with ftp and reboot Hardware Resource Usage There is no significant resource usage MikroTik RouterOS V2 6 Reference Manual 333 Open Shortest Path First OSPF Routing Protocol OSPF Description For OSPF description and deployment guidelines please refer to list of Additional Resources Current document discusses OSPF configuration for MikroTik RouterOS When deploy the OSPF all routers should be configured in a coordinated manner Routers belonging to one area should have the same area ID configured Although Mikrotik RouterOS supports multiple areas it is not likely that you will deploy structures with many of them OSPF Setup The OSPF management can be accessed under the routing ospf submenu After you have divided your networks in areas you have to configure the following settings on each OSPF router 1 Change general OSPF settings of redistributing connected static and default routes The default route should be distributed only from border routers of your area 2 Configure additional areas if any 3 If you re using encryption you also should configure keys in routing ospf interface command level 4 Add OSPF network records for all networks you want the OSPF to run on The OSPF is started after adding record to the ospf network list Note The OSPF protocol is started only on interfaces configured under the routing ospf netwo
306. eboot policy local telnet ssh ftp reboot read write policy test web admin MikroTik user group gt MikroTik RouterOS V2 6 Reference Manual 401 Users and Groups Here the argument name is the name of the group and policy contains the list of policies assigned to the group local User can log on locally via console telnet User can log on remotely via telnet ssh User can log on remotely via secure shell ftp User can log on remotely via ftp and send and retrieve files from the router reboot User can reboot the router read User can retrieve the configuration write User can retrieve and change the configuration policy Manage user policies add and remove user test User can run ping traceroute bandwidth test web user can log on remotely via http Note if there is exclamation sign right before policy name it means not O Copyright 1999 2002 MikroTik MikroTik RouterOS V2 6 Reference Manual 402 Bandwidth Test Document revision 19 Nov 2002 This document applies to MikroTik RouterOS v2 6 Overview The Bandwidth Tester can be used to monitor the throughput only to a remote MikroTik router either wired or wireless and thereby help to discover network bottlenecks The TCP test uses the standard TCP protocol with acknowledgments and follows the TCP algorithm on how many packets to send according to latency dropped packets and other features in the TCP
307. ecessencedessveteedssscccdsesccechie 315 COVER VIC Wesco sere Nees dida AN ia toa DOCG TEREST OT AERO il Ries 315 Contents ofthe Mana A ios 315 AO O ceceeis a a vw above aaa vas week a Ne eee Waa Rava bate Naa be Cavin ba eC aN 315 Software LICENS Etica nia ia ista ali iisia 315 Hardware Resource Usage so ino iea ao aea aae a eia E AE Ea E a E aa Aa Ea AA EES 315 MikroTik Web Proxy D scriptiOn ico renie an obter DETENER AERES EEEE RE EERE rK 316 MikroTik Web Proxy Setii a aen aa Ad R Eear Aa ea iain 316 Monitoring the Web Pro Viviendo ei aE E AE OE tii E o e 316 O B NENET E A A E N 318 DITECEATCESS B R E E SEE E E E E E E E EEE S 318 Managing the Cache nanoia eE aE A RO O EE Ea Wastes 319 Transparent Moderar nieee ienee eee eE EE REE EEO d e eE E eE EE EEE E 319 Set p Ekample Saiano aiaei n i e ae TA o e ean Eo aA ii 320 Troubleshooting iii di ee eee ean ee eas 320 Queues and Bandwidth Management ccccssscsssscssssscssscsssscssssssseccssccsesscssssssssscsssesssssssssssssssssosescsssases 322 OMC VI dr aaa tate A E k os REC OPE GROOVE TENT Es RET LN AR ise 322 Contents of the Mana ise 322 sta ee 322 How Queues WoW cimas ii tibias 323 Conf uA Simple QUES co a r tarn A rehati 324 Queue TeS ea a O A A A TEA EA AN E NNN 324 Setting Default Queue Type for the Interface ccccccccncnconocinininanananananananananancn nono nononnnnonononononoconanononos 325 Conti surins Quete Trees it Ad A A A a E e adas 326 TrOuBleShOOtn S30 rca stc
308. ed NTP is not running NTP is disabled e error there was some internal error starting NTP service please try to restart disable and enable NTP service e started NTP client service is started but NTP server is not found yet e failed NTP server sent invalid response to our NTP client NTP server is not synchronous to some other time source e reached NTP server contacted Comparing local clock to NTP server s clock duration of this phase approx 30 sec e timeset local time changed to NTP server s time duration of this phase approx 30 sec e synchronized local clock is synchronized to NTP server s clock NTP server is activated e using local clock using local clock as time source server enabled while client disabled NTP Server The NTP Server setup is under system ntp server admin MikroTik gt system ntp server print enabled no broadcast no multicast no manycast yes fadmin MikroTik gt NTP server activates only when local NTP client is in synchronized or using local clock mode If NTP server is disabled all NTP requests are ignored If NTP server is enabled all individual time requests are answered If broadcast is enabled NTP broadcast message is sent to 255 255 255 255 every 64s If multicast is enabled NTP multicast message is sent to 224 0 1 1 every 64s If manycast is enabled NTP server listens for multicast messages sent to 239 192 1 1 and responds to
309. ed R running O R name atheros1 mtu 1500 mac address 00 06 AB 00 37 8B arp enabled mode station root ap 00 00 00 00 00 00 frequency 5240MHz ssid mikrotik supported rates 6Mbps 9Mbps 12Mbps 18Mbps 24Mbps 36Mbps 48Mbps 54Mbps basic rates 6Mbps protocol 802 11 standard ack time 100 default authentication yes default forwarding yes max clients 2007 admin MikroTik interface atheros gt Argument description name interface name same as for other interfaces mtu maximum transfer unit same as for other interfaces mac address MAC address of card In AP mode this will also be BSSID of BSS arp Address Resolution Protocol one of the disabled the interface will not use ARP protocol enabled the interface will use ARP protocol proxy arp the interface will be an ARP proxy see corresponding manual 4 reply only the interface will only reply to the requests originated to its own IP addresses but neighbour MAC addresses will be gathered from ip arp statically set table only mode mode of the interface if station card works as station client for the wireless infrastructure bridge card works as access point but can register only one client or access point if ap bridge card works as access point i e it creates wireless infrastructure root ap only ap bridge or bridge MAC address of the root access point to register to frequency only ap bridge
310. ed it consumes a small amount of memory No increase of memory is suggested Bridge Setup IP bridge management is accessible under the interface bridge menu admin MikroTik interface bridge gt Bridge interface is accessible through any interface with bridging functionality enabled print Show bridge interfaces MikroTik RouterOS V2 6 Reference Manual 80 Bridge Interface get get value of item s property find Find interfaces set Change bridge interface settings enable Enable interface disable Disable interface add create new item remov remove item export Export bridge interfaces settings port Interface settings host firewall admin MikroTik interface bridge gt print Flags X disabled R running O R name bridgel mtu 1500 arp enabled mac address 00 50 08 00 00 F5 forward protocols ip arp appletalk ipx ipv6 other priority 1 1 X name bridge2 mtu 1500 arp enabled mac address 00 50 08 00 00 F7 forward protocols appletalk ipx ipv6 other priority 1 admin MikroTik interface bridge gt Argument description name descriptive name of interface default is bridgeX X 1 2 mtu maximum transmit unit in bytes 68 1500 default 1500 arp Address Resolution Protocol setting one of the disabled the interface will not use ARP protocol enabled the interface will use ARP protocol proxy arp the interface will be an ARP proxy see corresponding manual 4 reply on
311. ed by default for all new wireless interfaces MikroTik RouterOS V2 6 Reference Manual 303 IP Packet Packer Protocol M3P e when older version on the RouterOS are upgraded from a version without M3P to a version with discovery current wireless interfaces will not be automatically enabled for M3P e small packets going to the same MAC level destination regardless of IP destination are collected according to the set configuration and aggregated into a large packet according to the set size e the packet is sent as soon as the maximum aggregated packet packet size is reached or a maximum time of 15ms 5ms MikroTik Packet Packer Protocol Setup IP MikroTik Packet Packer Protocol is working only between MikroTik routers which are discovered with MikroTik Neighbor Discovery Protocol So you should enable MNDP in order to get M3P to work Consult MNDP manual on how to do it IP MikroTik Packet Packer Protocol management can be accessed under the ip packing submenu admin MikroTik ip packing gt interfac Interface settings print Show packing settings get get value of property set export display the configuration as a set of commands admin MikroTik ip packing gt print enable unpacking yes expected size 28 aggregated size 1500 admin MikroTik ip packing gt Argument description enable unpacking enables unpacking feature of M3P for all Ethernet like interfaces on the router should be enabled if you have any
312. ee the dynamic routes under the ip route print list PPTP Router to Router Secure Tunnel Example The following is an example of connecting two Intranets using an encrypted PPTP tunnel over the Internet Hetwork Setup without PPTP enabled network 192 168 60 0 netmask 255 255 255 0 Internet network 192 168 81 0 netmask 255 255 255 0 To Internet HomeOffice RemoteOffice To Intemet 192 168 80 71 24 LocalHomeOffice 10 150 2 254 24 network 10 150 2 0 netmask 255 255 255 0 a Lapto 10 1 50 24124 There are two routers in this example MikroTik RouterOS V2 6 Reference Manual 192 168 81 1 24 LocalRemoteOffice 10 150 1 254 24 network 10 150 1 0 netmask 255 255 255 0 do Workstation 10 150 1 1 24 168 Point to Point Tunnel Protocol PPTP e HomeOffice Interface LocalHomeOffice 10 150 2 254 24 Interface Tolnternet 192 168 80 1 24 e RemoteOffice Interface Tolnternet 192 168 81 1 24 Interface LocalRemoteOffice 10 150 1 254 24 Each router is connected to a different ISP One router can access another router through the Internet On the PPTP server a user must be set up for the client admin HomeOffice ppp secret gt add name ex service pptp password 1k gt 3rht local address 10 0 103 1 remote address 10 0 103 2 admin HomeOffice ppp secret gt print detail Flags X disabled 0 name ex service pptp caller id password 1k3jrht profile defaul
313. eference Manual 74 MikroTik RouterOS V2 6 Reference Manual Atheros 5GHz 54Mbps Wireless Interface status connected to ess frequency 5180MHz tx rate 54Mbps rx rate 6Mbps ssid mt bssid 00 06 AB 00 37 8 signal strength 72 El admin MikroTik interface atheros gt The IP addresses assigned to the wireless interface should be from the network 10 0 0 0 24 e g admin MikroTik ip address gt add address 10 0 0 217 24 interface atheros1l admin MikroTik ip address gt print Flags X disabled I invalid D dynamic ADDRESS NETWORK BROADCAST INTERFACE 0 10 0 0 217 24 10 0 0 0 10 0 0 255 atherosl 1 192 168 0 254 24 192 168 0 254 192 168 0 254 etherl MikroTik ip address gt The default route should be set to the gateway router 10 0 0 1 not to the AP 10 0 0 250 admin MikroTik ip route gt add gateway 10 0 0 1 admin MikroTik ip route gt print Flags X disabled I invalid D dynamic J rejected connect S static R rip O ospf B bgp DST ADDRESS G GATEWAY DISTANCE INTERFACE Or 5 0 0 00 0 r 100 0 1 1 atherosl 1 DC 10 0 0 0 24 r 0 0 0 0 0 atheros1l 2 DC 192 168 0 0 24 0 4 0 0 0 0 etherl admin MikroTik ip route gt Note that you cannot use the bridging function between the atheros and ethernet interfaces if the atheros interface is in the station mode The bridge does not work in this case Wireless Access Point L
314. eless i Accesspoint ME ion A ae gt ss Internet frequency 2442 interface bridget 10 0 0 250 28 CE 2 4GHz 10 0 0 1 Wireless Network 11Mbps 10 0 0 0 24 A interface aironet ssidl mt Wireless Router i mode infrastructure mikrotik address 10 0 0 217 24 interface Local address 192 168 0 254 24 Local Network 192 168 0 0 24 No Hub 7 na Workstation Laptop 192 168 0 1 192 168 0 2 You need both the 2 4GHz Wireless and the Prism AP Feature Licenses to enable the AP mode To make the MikroTik router work as an access point the configuration of the prism wireless interface should be as follows e A unique Service Set Identificator should be chosen say mt e A frequency should be selected for the link say 2442MHz e The operation mode should be set to ap bridge or bridge The following command should be issued to change the settings for the prism interface admin MT_Prism_AP interface prism gt set 0 mode ap bridge frequency 2442MHz ssid mt admin MT_Prism_AP interface prism gt print Flags X disabled R running O R name prism1 mtu 1500 mac address 00 90 4B 02 17 E2 arp enabled mode ap bridge root ap 00 00 00 00 00 00 frequency 2442MHz ssid mt default authentication yes default forwarding yes max clients 2007 card type generic tx power auto supported rates 1 11 basic rates 1 admin MT_Prism_AP interface prism gt monitor 0 current sta count 2 current ap count
315. em gt telnet Run telnet session to remote host lt host gt IP address of host admin MikroTik system gt telnet Telnet Client Examples A simple example of using Telnet admin MikroTik gt system telnet 10 0 0 100 Trying 10 0 0 100 Connected to 10 0 0 100 Escape character is ikroTik v2 5 12 Login Telnet using Telnet command mode Mikrotik gt system telnet telnet gt open 10 0 0 100 Trying 10 0 0 100 MikroTik RouterOS V2 6 Reference Manual 393 Telnet Client Connected to 10 0 0 100 Escape character is ikroTik v2 5 12 Login O Copyright 1999 2002 MikroTik MikroTik RouterOS V2 6 Reference Manual 394 UPS Monitor Document revision 1 0 20 Jan 2003 This document applies to the MikroTik RouterOS v2 6 Table of Contents e Table of Contents e Summary e Specifications Cabling e UPS Monitor Setup Property Description Notes Example e Runtime Calibration Description Notes Example e UPS Monitoring Property Description Example e Additional Resources Summary The UPS monitor feature works with APC UPS units that support smart signaling This feature enables the network administrator to monitor the UPS and set the router to gracefully handle any power outage with no corruption or damage to the router The basic purpose of this feature is to ensure that the router will come back online after an extended power failure
316. em with specified property values address Network address part of addresses user is allowed to use comment short description of the item copy from item number disabled group Permissions group for user nam New user nam netmask Netmask part of addresses user is allowed to use password User password admin MikroTik user gt add name joe password j102e3 group write admin MikroTik user gt print Flags X disabled 0 55 system default user name admin group full address 0 0 0 0 0 dl name joe group write address 0 0 0 0 0 fadmin MikroTik user gt Argument description name User name Must start with an alphanumeric character and may contain alphanumeric characters _ MikroTik RouterOS V2 6 Reference Manual 400 Users and Groups group Name of the group the user belongs to The system default groups are full write read See below on how to manage user groups password User password If not specified 1t is left blank hit Enter when logging in It conforms to standard Unix characteristics of passwords Can contain letters digits and address Ip address form which the user is allowed to log in netmask Network mask of addresses assigned to the user List of active users can be viewed using the user active print command admin MikroTik user gt active print 0 when aug 09 2002 21 46 13 name admin address 0 0 0 0 via console 1 when aug 09 2002 15 54 36 name admin addr
317. en name user value hsuser gt where hsuser is the username you are providing MikroTik RouterOS V2 6 Reference Manual 247 HotSpot Gateway 2 To provide predefined value as password change lt input type password input_password gt to this line lt input type hidden name password value hspass gt where hspass is the password you are providing 3 To send client s MAC address to a registration server in form of https www server serv register html mac XX XX XX XX XX XX change the Login button link to https www server serv register html mac mac you should correct the link to point to your server Copyright 1999 2003 MikroTik MikroTik RouterOS V2 6 Reference Manual 248 IP Addresses and Address Resolution Protocol ARP Document revision 16 Sep 2002 This document applies to the MikroTik RouterOS V2 6 Overview The following Manual discusses managing IP addresses and the Address Resolution Protocol ARP IP addresses serve as identification when communicating with other network devices using the TCP IP protocol It is possible to add multiple IP addresses to an interface or to leave the interface without addresses assigned to it Leaving a physical interface without an IP address is a must when the bridging between interfaces is used In case of bridging the IP address is assigned to a bridge interface MikroTik RouterOS has following types of addresses e Static IP Address
318. ent and the MikroTik Access Concentrator not always is stable and the Windows PPPoE clients get disconnected Set the Redialing Options of the Windows client to Redial if line is dropped yes and Time between redial attempts 1s RADIUS Server Configuration Example Below are general steps for configuring RADIUS server under UNIX Let us assume you have downloaded a server installation installed it and the service is running 1 Check what ports are used for RADIUS authentication and accounting You can use netstat I or netstat In command for example root server home netstat ln MikroTik RouterOS V2 6 Reference Manual 152 General Point to Point Settings Active Internet connections only servers Proto Recv Q Send Q Local Address Foreign Address State tcp 0 0 0 0 0 0 110 0 0 0 0 LISTEN tcp 0 0 0 0 0 0 21 0 0 0 0 LISTEN tcp 0 0 0 0 0 0 22 00000003 LISTEN tcp 0 0 0 0 0 0 25 0003034 LISTEN udp 0 0 0 0 0 0 1812 O 000 0 3 udp 0 0 0 0 0 0 1813 0 30 20003 2 Make sure your RADIUS clients are listed in the clients file It should contain client s IP address or hostname and secret key for example root server raddb cat clients Client Name Key 10 5 15 4 rm219pppoe radius TON 36 8 a hotspot radius 10 0 0 100 artis secret root server raddb 3 Make sure the RADIUS attributes used are included in the dictionary file containing dictionary translations for par
319. ent to user Note that these stats are updated each time user logs out and RADIUS accounting is disabled or RADIUS is disabled It means that if user is currently logged in then these stats will not show current total values Use ip hotspot active print stats to produce statistics on current user sessions The active user list shows the list of currently logged in users Nothing can be changed here except user can be removed with the remove command admin MikroTik ip hotspot active gt prin USER ADDRESS UPTIME 0 ex 10 0 0 204 6m10s admin MikroTik ip hotspot active gt Fl ct n ESSION TIMEOUT IDLE TIMEOUT Description of the printout user name of user logged in address IP address of logged in user uptime current session time logged in time for this IP address MikroTik RouterOS V2 6 Reference Manual 241 HotSpot Gateway session timeout how much time it is left for IP address until it will be automatically logged out idle timeout how much idle time it is left for IP address until it will be automatically logged out Statistics about logged in user are available too admin MikroTik ip hotspot active gt print stats USER UPTIME BYTES IN BYTES OUT PACKETS IN PACKETS OUT 0 ax 12m53s 1237091 1222130 4062 4241 admin MikroTik ip hotspot active gt HotSpot Cookies HotSpot Cookies can be managed within ip hotspot cookie submenu admi
320. ents IP Telephony SS A RO 277 Implementation Opuons ssiciscinsseccceseascsaesscccedashagessceevscisaeadsatacededsvhedethnacgadk sense caanacavaaaabecesvaiseeanees 277 IP Telephony Hardware and Software Installation cee ceecceecceeseeeeseceeeeceaceceeeeeeaeeeeaeceeaeeeeaeessaees 277 Software Packages sik od cc a e a a denle dio tel ack 278 SOL Ware MICA dicta diana tutes douse tan AE N EAN S 278 Hardware Install OM iii is 278 IP Pelephony CONABIO A de TEETAR Aa T EAA 278 Telephony Voice Ports mitin dagesb sbaacubidenctavssdcGecs dave EE AEE a aE a eare 279 Monitormg the Voice Ports reseita i erT ii 279 DLO ele O LEN FLE RI N ERE E EE E A EEEE 280 Voice Port for Telephony cards aee e a e a aa A EEEN S raTa EE ESI c 281 Voice Port TormelS DN w eee ile tE ad AN aid a ee eias 282 Voice Port for Voiceover IP VOID cocacola i ne e eaa EEEE EE EEA 283 NUDE E REN EE EE S T T E EE EE S 283 Regional Settings mnre n e bovis EE A a 285 Audio CODEC aiii bars its tales lis le 286 TP Telephony A CCOO acontecidos 287 IP Telephony Gatekeeper sic ccacteaiteie ada EEE ret AEDE AE aiid aman 289 IP Telephony Troubleshooting s s 2s ccc32 eccssicsdeachs nanan as t cadevace Eaa Aa ee aT a ters 291 IP Fel phony ApplicatonS eitea a E a E E E E a E E E e E E oes 291 Setting up the Mikro Tik IP Telephone vsa cecccecsceesseceesceseneeceseeeaeeeeaaeceececeeeeeceaeeeaeceeaaeceaeeseeeeees 292 Setting up the IP Telephony Gate WaY occonocccnnoccnonnconnn
321. ents looks like follows admin MikroTik interface atheros gt registration table print INTERFACE MAC ADDRESS TYPE PARENT SIGNAL LX aie O atherosl 00 06 AB 00 37 85 client 67 6Mbps admin MikroTik interface atheros gt There are two possible ways of implementing the wireless access point feature e Use it as a pure access point with bridging function enabled between the ethernet and atheros interfaces The IP address can be assigned to the bridge interface e Use it as a wireless access point router with routing functionality between the Ethernet and atheros interfaces It requires different IP addresses assigned to both the Ethernet and atheros interfaces The addresses should be from different networks as well To enable bridging between the ethernet and atheros interfaces do the following MikroTik RouterOS V2 6 Reference Manual 76 Atheros 5GHz 54Mbps Wireless Interface 1 Add bridge interface with the desired forwarded protocols admin MikroTik interface bridge gt add forward protocols ip arp other admin MikroTik interface bridge gt print Flags X disabled R running 0O X name bridgel mtu 1500 arp enabled mac address 00 00 00 00 00 00 forward protocols ip arp other priority 1 admin MikroTik interface bridge gt 2 Add the desired interfaces to the bridge interface admin MikroTik interface bridge port gt set etherl atherosl bridge bridgel admin MikroTik interface b
322. er displayed before the command prompt The identity may be set within the system identity submenu admin MikroTik interface pppoe server gt server print Flags X disabled 0 X service name office interface prisml mtu 1492 mru 1492 authentication chap keepalive timeout 10 default profile default admin MikroTik interface pppoe server server gt Descriptions of settings service name The PPPoE service name mtu mru The default MTU nad MRU is set to 1480 but the maximum values they can be set to on the ethernet interface is 1492 because of the PPPoE overhead For encryption subtract four more bits and set the MTU and MRU to 1488 authentication authentication algorithm One or more of mschap2 chap pap keepalive timeout defines the time period in seconds after which not responding client is proclaimed disconnected The default value of 10 is OK in most cases If you set it to 0 the router will not disconnect clients until they log out or router is restarted default profile default profile to use for the clients Security issue do not assign an IP address to the Interface you will be receiving the PPPoE requests on The PPPoE server will create point to point connection for each individual client Each connection will have individual dynamic virtual P2P interface The local address will be set on its server side and the remote address will be given to the client The addresses do not need to be
323. er hardware should have e An advanced 4th generation core frequency 1OOMHz or more 5th generation Intel Pentium Cyrix 6X86 AMD K5 or comparable or newer Intel IA 32 1386 compatible motherboard and processor dual processors are not supported e from 32MB to 1GB RAM from 48MB suggested e 30MB or more PRIMARY MASTER IDE HDD or IDE flashdrive Note The hard disk will be entirely reformatted during the installation and all data on it will be lost e A network adapter NE2000 compatible PCI or ISA Ethernet card or any other supported NIC see specifications of supported interfaces on our web page Note that you can move the hard drive with MikroTik RouterOS installed to a new hardware without loosing a license but you cannot move the RouterOS to a different hard drive without purchasing an another license except hardware failure situations For additional information write to key support mikrotik com For installation purposes and only for that time you should also have e A SECONDARY MASTER CD drive set as primary boot device if you want to use the created CD for installing the MikroTik RouterOS onto the primary master HDD e A 3 5 FDD set as primary boot device if you want to use the created set of floppies for installing the MikroTik RouterOS e A monitor and keyboard for installation and initial setup of the MikroTik Router The monitor and keyboard do not need to be connected to the router after it is s
324. er set to mt The IP addresses assigned to the interfaces should be from networks 10 0 0 0 24 and 192 168 0 0 24 admin mikrotik ip address gt print Flags X disabled I invalid D dynamic ADDRESS NETWORK BROADCAST INTERFACE 0 10 0 0 217 24 10 0 0 0 10 0 0 255 atherosl 1 192 168 0 254 24 192 168 0 0 192 168 0 255 Local admin mikrotik ip address gt MikroTik RouterOS V2 6 Reference Manual 77 Atheros 5GHz 54Mbps Wireless Interface The default route should be set to gateway 10 0 0 1 for the router mikrotik admin mikrotik ip route gt add gateway 10 0 0 254 admin mikrotik ip route gt print Flags X disabled I invalid D dynamic J rejected C connect S static R rip O ospf B bgp DST ADDRESS G GATEWAY DISTANCE INTERFACE 0 Ss 0 0 0 0 0 r 10 0 0 1 1 atherosl 1 DC 10 0 0 0 24 F 04000 0 atheros1l 2 DC 192 168 0 254 24 r 0 0 0 0 0 Local admin mikrotik ip route gt Wireless Bridge To set up a wireless bridge between two networks you need to have a wireless 2 4GHz or AP license Configure one MikroTik RouterOS Atheros AP to register to another MikroTik RouterOS Atheros AP for point to point operation The basic setup is as follows mode access point ssid br8 frequency 5300MHz supported rates 6 54 basic rates 6 oras e MT child a y _ interface atheros1 interface atheros1 mac address mac address LAN2 00 06 4B 00 37 8
325. er through the IP network Our goal is to create a secure channel between the routers and bridge both networks through it The network setup diagram is as follows IP Network Remote 192 168 2 1 Our_GW 192 168 1 1 PPTP Tunnel Office LAN Remote LAN To make a secure Ethernet bridge between two routers you should 1 Create a PPTP tunnel between them Our_GW will be the pptp server admin Our_GW interface pptp server gt ppp secret add name joe service pptp password top_s3 local address 10 0 0 1 remote address 10 0 0 2 admin Our_GW interface pptp server gt add name from_remote user jo admin Our_GW interface pptp server gt server set enable yes admin Our_GW interface pptp server gt print Flags X disabled D dynamic R running NAME USER MTU CLIENT ADDRESS UPTIME ENC 0 from_remote joe admin Our_GW interface pptp server gt Pooch ict The Remote router will be the pptp client admin Remote interface pptp client gt add name pptp user joe connect to 192 168 1 1 password top_s3 mtu 1500 mru 1500 admin Remote interface pptp client gt enable pptp admin Remote interface pptp client gt print Flags X disabled R running O R name pptp mtu 1500 mru 1500 connect to 192 168 1 1 user joe password top_s2 profile default add default route no admin Remote interface pptp client gt m
326. er values For example admin MikroTik gt interface print Flags X disabled D dynamic R running NAME TYPE MTU O R etherl ether 1500 1 R ether2 ether 1500 2 R ether3 ether 1500 3 R ether4 ether 1500 4 R prismi prism 1500 admineMikroTik gt To change parameters of an item interface settings in this particular case you have to specify 1t s number to the set command admin MikroTik interface gt set 0 mtu 1460 admin MikroTik interface gt print Flags X disabled D dynamic R running NAMI TYPE MTU El MikroTik RouterOS V2 6 Reference Manual 24 Terminal Console Manual O R etherl ether 1460 1 R ether2 ether 1500 2 R ether3 ether 1500 3 R ether4 ether 1500 4 R prismi prism 1500 admin MikroTik interface gt Numbers are assigned by print command and are not constant it is possible that two successive print commands will order items differently But the results of last print commands are memorized and thus once assigned item numbers can be used even after add remove and move operations after move operations item numbers are moved with the items Item numbers are assigned for sessions they will remain the same until you quit the console or until the next print command is executed Also numbers are assigned separately for every item list so ip address print won t change numbers for interface list Let s assume interface prism print hasn t been executed in this session I
327. erading Example of Destination NAT MikroTik RouterOS V2 6 Reference Manual 226 Firewall Filters and Network Address Translation NAT Basic Firewall Building Principles Assume we have router that connects a customer s network to the Internet The basic firewall building principles can be grouped as follows e Protection of the Router from Unauthorized Access Connections to the addresses assigned to the router itself should be monitored Only access from certain hosts to certain TCP ports of the router should be allowed This can be done by putting rules in the input chain to match packets with the destination address of the router entering the router through all interfaces e Protection of the Customer s hosts Connections to the addresses assigned to the customer s network should be monitored Only access to certain hosts and services should be allowed This can be done by putting rules in the forward chain to match packets passing through the router with the destination addresses of customer s network e Using source NAT masquerading to Hide the Private Network behind one External Address All connections form the private addresses are masqueraded and appear as coming from one external address that of the router This can be done by enabling the masquerading action for source NAT rules e Enforcing the Internet Usage Policy from the Customer s Network Connections from the customer s network should be monitored This can
328. ers are tested to comply with MikroTik RouterOS e Vadem VG 469 PCMCIA ISA adapter e RICOH PCMCIA PCI Bridge with R5C475 II or RC476 II chip one or two PCMCIA ports e CISCO Aironet PCMCIA adapter ISA and PCA versions for CISCO Aironet PCMCIA cards only Other PCMCIA ISA and PCMCIA PCI adapters might not function properly The Ricoh adapter might not work properly with some older motherboards When recognized properly by the BIOS during the boot up of the router it should be reported under the PCI device listing as PCI CardBus bridge Try using another motherboard if the adapter or the Prism card are not recognized properly Note that there are a maximum for a number of PCMCIA ports 8 If You will try to install 9 or more ports no matter whether with one port or two port adapters in any combination no one will be recognized List of Drivers The list of device drivers included in the system software package is given below ISA Drivers Drivers for ISA cards should be loaded manually e ne2k isa Load the driver by specifying the I O base address IRQ is not required Driver is suitable for most of the NE2000 compatible ISA cards e 30509 Load the driver by specifying the I O base address IRQ is not required Driver is suitable for 3COM 509 Series ISA cards 3Com EtherLink III PCI Drivers Drivers for PCI cards are loaded automatically if the relevant interface card is installed and it does not have hardw
329. ers over third party networks MikroTik RouterOS V2 6 Reference Manual 169 Point to Point Tunnel Protocol PPTP Hetwork Setup with PPTP Internet 2 Encrypted e ISP 1 PPTP Tunnel Sy ISP 2 network 192 168 804 network 192 168 81 0 netmask 255 255 29 netmask 255 255 255 0 3 f 4 RemoteOffice To n coe ays n To ntemet 492 169 80 1 24 py 190 103 824 Punoi To SS basg 192 163 81 1 24 LocalHomeOffice MD BN LocaiRemoteOffice 1 0150 2 254 24 0750 17 254 24 network 10 150 2 0 network 10 150 1 0 netmask 255 255 255 0 netmask 255 255 255 0 do a Laptop Workstation 10 150 2 1 24 10 150 1 1 24 To route the local Intranets over the PPTP tunnel add these routes admin HomeOffice gt ip route add dst address 10 150 1 0 24 gateway 10 0 103 2 admin RemoteOffice gt ip route add dst address 10 150 2 0 24 gateway 10 0 103 1 On the PPTP server it can alternatively be done using routes parameter of the user configuration admin HomeOffice ppp secret gt print detail Flags X disabled 0 name ex service pptp caller id password l1kjrht profile default local address 10 0 103 1 remote address 10 0 103 2 routes admin HomeOffice ppp secret gt set 0 routes 10 150 1 0 24 10 0 103 2 1 admin HomeOffice ppp secret gt print detail Flags X disabled 0 name ex service pptp Ccaller id password 1k3jrht profile default local address 10 0 103 1 remote address 10 0 103 2 routes
330. erver e PPP Client Setup e Additional Resources Installation The ppp 2 6 x npk are required The package can be downloaded from MikroTik s web page www mikrotik com To install the package please upload them to the router with ftp and reboot Hardware Resource Usage PPP uses a minimum amount of memory If the devices are detected correctly they should appear in driver list admin MikroTik gt driver print Flags I invalid D dynamic DRIVER IRQ IO MEMORY ISDN PROTOCOL 0 D Cyclades Y Z MikroTik RouterOS V2 6 Reference Manual 155 Point to Point Protocol PPP and Asynchronous Interfaces 1 D RealTek 8139 2 D TheTCL DataBooster 3 D Intel PRO 100 fadmin MikroTik gt To see the list of available serial ports use the command ports print for example admin OANA OO FWNEF CO io 10 11 2 13 14 15 16 NAME jal m ikroTik serialo databooster1 databooster2 databooster3 databooster4 databooster5 databooster6 databooster7 databooster8 cycl cycl cycl cycl cycl cycl cycl cycl adesAl adesA2 adesA3 adesA4 adesA5 adesA6 adesA7 adesA8 fadmin MikroTik gt port print USED BY Serial Console gt Serial Port Configuration You can set parameters for each port using port set command fadmin MikroTik fadmin MikroTik 0 name serial0 used by Serial Console baud rate 57600 data bits 8 parity non port gt set serial0
331. es are user assigned addresses to the network interfaces e Dynamic IP Addresses are assigned automatically when ppp ppptp or pppoe connections are established Contents of the Manual The following topics are covered in this manual e Assigning IP Addresses e Address Resolution Protocol ARP e Using the Proxy ARP Feature e Using Unnumbered Interfaces e Troubleshooting Assigning IP Addresses IP address management can be accessed under the ip address submenu admin MikroTik ip address gt IP addresses are given to router to access it remotely and to specify it as a gateway for other hosts routers print Show IP addresses get get value of item s property find Find addresses set Change IP address properties add Add IP address remove Remove IP address enable Enable IP address disable Disable IP address comment Set comment for IP address export Export list of IP addresses admin MikroTik ip address gt Use the ip address add command to add an IP address to an interface In most cases it is enough to specify the address the netmask and the interface arguments The network prefix and the broadcast address are calculated automatically for example MikroTik RouterOS V2 6 Reference Manual 249 IP Addresses and Address Resolution Protocol ARP admineMikroTik ip address gt add creates new item with specified property values address Local IP address broadcast Broadcast address comment short descript
332. es default route 1f gateway becomes unreachable How it s done There are two scripts The script gw_2 is executed once when status of host changes to up In our case it s equivalent to entering this console command MikroTik gt ip route set ip route find dst 0 0 0 0 gateway 10 0 0 217 The ip route find dst 0 0 0 0 command returns list of all routes whose dst address value is zero Usually that s the default route It is substituted as first argument to ip route set command which changes gateway of this route to 10 0 0 217 The script gw_1 is executed once when status of host becomes down It does the following MikroTik gt ip route set ip route find dst 0 0 0 0 gateway 10 0 0 1 It changes the default gateway if 10 0 0 217 address has become unreachable Here s another example that sends email notification whenever the 10 0 0 215 host goes down MikroTik system script gt add name e down source tool e mail send from rieks mt lv server 159 148 147 198 body Router down subject Router at second floor is down to rieks latnet lv add name e up source tool e mail send from rieks mt lv server 159 148 147 198 body Router up subject Router at second floor is up to rieks latnet 1v MikroTik system script gt MikroTik system script gt tool netwatch MikroTik system script gt MikroTik RouterOS V2 6 Reference Manual 34 Scripting Manual add host 10 0 0 215 timeout 999ms interval
333. escription connected to Internet no ip address encapsulation frame relay IETF serial restart delay 1 frame relay lmi type ansi frame relay intf type dce interface Serial0 1 point to point ip address 1 1 1 2 255 255 255 0 no arp frame relay frame relay interface dlci 42 end Send ping to MikroTik router CISCO ping 1 1 1 1 Typ scape sequence to abort Sending 5 100 byte ICMP Echos to 1 1 1 1 timeout is 2 seconds Success rate is 100 percent 5 5 round trip min avg max 28 31 32 ms CISCO Frame Relay Troubleshooting e I cannot ping through the synchronous frame relay interface between MikroTik router and a Cisco router MikroTik RouterOS V2 6 Reference Manual 117 FrameRelay PVC Interfaces FrameRelay does not support address resolving and IETF encapsulation should be used Please check the configuration on the Cisco router Copyright 1999 2002 MikroTik Copyright 1999 2002 MikroTik MikroTik RouterOS V2 6 Reference Manual 118 IP over IP IPIP Tunnel Interface Document revision 29 Nov 2002 This document applies to the MikroTik RouterOS V2 6 Overview The IPIP tunneling implementation on the MikroTik RouterOS is RFC 2003 compliant IPIP tunnel is a simple protocol that encapsulates IP packets in IP to make a tunnel between two routers The IPIP tunnel interface appears as an interface under the interface list Many routers including Cisco and Linux based support
334. esl admin MikroTik ip address gt print Flags X disabled I invalid D dynamic ADDRESS NETWORK BROADCAST INTERFACE 0 10 0 0 219 24 10 0 0 0 100304255 ether1 1 kaketa lAa Lebl AAS Selle cyclades1 2 192 168 0 254 24 192 168 0 254 192 168 0 255 ether2 admin MikroTik ip address gt ping 1 1 1 2 1 1 1 2 64 byte pong tt1 255 time 12 ms 1 1 1 2 64 byte pong ttl 255 time 8 ms 1 1 1 2 64 byte pong tt1 255 time 7 ms 3 packets transmitted 3 packets received 0 packet loss round trip min avg max 7 9 0 12 ms admin MikroTik ip address gt tool flood ping 1 1 1 2 size 1500 count 50 sent 50 received 50 min rtt 1 avg rtt 1 max rtt 9 admin MikroTik ip address gt Note that for the point to point link the network mask is set to 32 bits the argument network is set to the IP address of the other end and the broadcast address is set to 255 255 255 255 The default route should be set to the gateway router 1 1 1 2 admin MikroTik ip route gt add gateway 1 1 1 2 interface cycladesl admin MikroTik ip route gt print Flags X disabled I invalid D dynamic J rejected G connect S static R rip O ospf B bgp DST ADDRESS G GATEWAY DISTANCE INTERFACE O S 0 0 0 0 0 ded dae 1 cycladesl 1 DC 10 0 0 0 24 000 020 0 etherl 2 DC 192 168 0 0 24 r 0 0 0 0 0 ether2 MikroTik RouterOS V2 6 Reference Manual 98 Cyclades PC300 PCI Adapters 3 DE 1 1 d
335. ess 0 0 0 0 session timeout 0s idle timeout 0s use compression no use vj compression yes use encryption no require encyrption no only one no tx bit rate 0 rx bit rate 0 incoming filter outgoing filter admin Mikrotik ppp profile gt set default idle timeout 30s If you would like to remain connected all the time i e as a leased line then set the idle timeout to Os All that remains is to enable the interface admin MikroTik interface set isdn isp disabled no You can monitor the connection status with admin MikroTik interface isdn client monitor isdn isp ISDN Dial in Dial in ISDN connections allow remote clients to connect to your router via ISDN Let us assume you would like to set up a router for accepting incoming ISDN calls from remote clients You have an ethernet card connected to the LAN and an ISDN card connected to the ISDN line First you should load the corresponding ISDN card driver Supposing you have an ISDN card with an HFC chip admin MikroTik driver add name hfc Now additional channels should appear Assuming you have only one ISDN card driver loaded you should get the following admineMikroTik isdn channels gt print MikroTik RouterOS V2 6 Reference Manual 125 ISDN Interface Flags X disabled E exclusive NAME CHANNEL DIR TYPE PHONE 0 channell 0 dl channel 2 1 fadmin MikroTik isdn channels gt Add an incoming ISDN interface an
336. ess 0 0 0 0 via web 2 when aug 09 2002 14 23 44 name admin address 10 0 0 250 via telnet fadmin MikroTik user gt When the user has logged on he can change his password using the password command The user is required to enter his her current password before entering the new password When the user logs out and logs in for the next time the new password must be entered User Groups User group management can be accessed under the user group menu admin MikroTik user gt group print 0 users with read only permission name read policy local telnet ssh ftp reboot read write policy test web 1 users with write permission name write policy local telnet ssh ftp reboot read write policy test web 2 7 7 users with complete access name full policy local telnet ssh ftp reboot read write policy test web fadmin MikroTik user gt There are three system groups which cannot be deleted Use add command to add a user group admin MikroTik user group gt add name reboot policy telnet reboot read admin MikroTik user group gt print O 57 users with read only permission name read policy local telnet ssh ftp reboot read write policy test web 1 users with write permission name write policy local telnet ssh ftp reboot read write policy test web 2 77 users with complete access name full policy local telnet ssh ftp reboot read write policy test web 3 name r
337. ess Point e Network Scan e Logging of Prism Interface e Troubleshooting e Wireless Network Applications Wireless Client Wireless Access Point Wireless Bridge e Supported Prism Il Hardware MikroTik RouterOS V2 6 Reference Manual 174 Prismll Wireless Client and Wireless Access Point Manual Supported Network Roles Wireless Client The Prism interface can be configured to act as an IEEE 802 11b wireless client station to associate with an access point The station mode has been tested with MikroTik RouterOS PrismII based Access Points and CISCO Aironet Wireless Ethernet Bridges and Access points Wireless Access Point The Prism interface can be configured to act as an IEEE 802 11b wireless access point It requires the Prism AP Feature License The access point can register wireless clients The access point mode has been tested with PrismIl CISCO Aironet and ORINOCO WaveLAN clients An Additional Feature License is required to enable your Access Point feature The Wireless Client License is required as well AP mode can be enabled only for these cards IEEE 802 11b 2 4GHz 11Mbps Prism II Prism 2 5 Cards IEEE 802 11a 5 2GHz 54Mbps Atheros Cards The PrismII Access Point interface can register other access points Thus it is possible to bridge networks over wireless links Wireless Bridge This is limited version of the Access Point mode which allows only one client to be registered but does not require the Prism
338. esses 0x300 0x31f the second card 0x320 0x33f the third 0x340 0x35f and so on Make sure there is no conflict in these ranges with other devices e g network interface cards etc If the MikroTik router will be used as e an IP telephone connect an analog telephone with tone dialing capability to the PhoneJACK or LineJACK card e an IP telephony gateway connect an analog telephone line to the LineJACK Voicetronix or Zaptel card Please consult the ISDN Manual for more information about installing the ISDN adapters IP Telephony Configuration The IP Telephony requires IP network connection and configuration The basic IP configuration can be done under the ip address and ip route menus Configuration of the IP telephony can be accessed under the ip telephony menu admin MikroTik ip gt telephony IP Telephony interface gatekeeper Gatekeeper client configuration accounting Accounting configuration MikroTik RouterOS V2 6 Reference Manual 278 numbers IP Telephony Telephon codec Audio compression capability management voice port region export Telephony numbers management voice port management Telephony voice port regional setting management admin MikroTik ip gt telephony Telephony Voice Ports The management of all IP telephony voice ports linejack phonejack isdn voip voicetronix zaptel can be accessed under the ip telephony voice port menu Use the print command
339. esses or DHCP is used Do not use static IP addresses or DHCP on interfaces on which the PPPoE is used for security reasons A PPPoE connection is composed of a client and an access concentrator server The client may be a Windows computer that has the PPPoE client protocol installed The MikroTik RouterOS supports both the client and access concentrator implementations of PPPoE The PPPoE client and server work over any Ethernet level interface on the router wireless 802 11 Aironet Cisco WaveLAN Prism Atheros 10 100 1000 Mb s Ethernet RadioLAN and EoIP Ethernet over IP tunnel No encryption MPPE 40bit RSA and MPPE 128bit RSA encryption are supported Our RouterOS has a RADIUS client that can be used for authentication of all PPP type connections including PPPoE For more information on PPP authentication see the General Point to Point Settings manual Supported connections e MikroTik RouterOS PPPoE client to any PPPoE server access concentrator e MikroTik RouterOS server access concentrator to multiple PPPoE clients clients are available for almost all OSs and some routers Topics covered in this manual e PPPoE Installation on the MikroTik RouterOS e PPPoE hardware resource usage e PPPoE Client Setup e PPPoE Server Setup Access Concentrator e PPPoE bandwidth setting e PPPoE in a multipoint wireless 802 11b network e PPPoE Troubleshooting e Additional Resources PPPoE Installation on the MikroTik R
340. et up for connecting to it over the network Boot up your dedicated PC router from the Installation Media you created and follow the instructions on the console screen while the HDD is reformatted and MikroTik RouterOS installed on it After successful installation please remove the installation media from your CD or floppy disk drive and hit Enter to reboot the router While the router will be starting up for the first time you will be given a Software ID for your installation and asked to supply a valid software license key Software Key for it Write down the Software ID You will need it to obtain the Software License through the MikroTik Account Server If you need extra time to obtain the Software License Key you may want to power off the router Type shutdown in the Software key prompt and power the router off when the router is halted Obtaining the Software License The MikroTik RouterOS Software licensing process is described in the following diagram MikroTik RouterOS V2 6 Reference Manual 5 Setting up MikroTik RouterOS www mikrotik com MikroTik p Account Server 4 3 Software License Key Supplythe sent to you v a e mail Software ID Router Console when purchasing Monitor amp Keyboard the License for installing and initial setup 5 yO Enter the Software License Software License Key y 2 WingS 98 NT 2K Log on to your Workstation account at q Write down the ii Software ID Ded
341. et us consider the following point to point wireless network setup with two MikroTik Wireless Routers 75 Atheros 5GHz 54Mbps Wireless Interface Wireless i Accesspoint mo EE A e frequency 5180 Internet interface bridge1 10 0 0 250 24 E Gateway 10 0 0 1 5 GHz Wireless Network S4Mbps A 10 0 0 0 24 A interface atheros ssid1 mt Wireless Router i mode infrastructure mikrotik address 10 0 0 217 24 interface Local address 192 168 0 254 24 Local Network 192 168 0 0 24 NO Huby Workstation Panin 192 168 0 1 192 168 0 2 To make the MikroTik router work as an access point the configuration of the atheros wireless interface should be as follows e A unique Service Set Identifier should be chosen say mt e A frequency should be selected for the link say 5180MHz e The operation mode should be set to ap bridge The following command should be issued to change the settings for the atheros interface admin MikroTik interface atheros gt set 0 mode ap bridge frequency 5180MHz ssid mt admin MikroTik interface atheros gt print O R name atheros1 mtu 1500 mac address 00 06 AB 00 37 8E arp enabled mode ap bridge root ap 00 06 AB 00 37 75 frequency 5180MHz ssid mt supported rates 6 54 basic rates 6 protocol 802 11 standard ack time 26 default authentication yes default forwarding yes max clients 2007 admineMikroTik interface atheros gt The list of registered cli
342. ether2 ipipl PREFIX PATH interface COMMAND monitor traffic NAMELESS_ARGUMENTS etherl ether2 ipipl Here are explanations for each part of command PREFIX is either or It is optional PATH is a sequence of command level names and It is also optional but the processing of MikroTik RouterOS V2 6 Reference Manual 35 Scripting Manual commands without given path may change in future versions so in your scripts use path that starts with prefix or whenever possible PATH_ARGUMENT is required by some command levels like ip firewall rule and is not allowed anywhere else COMMAND is command name from the command level specified by path NAMELESS_ARGUMENTS are specific to each command Values of these arguments are written in fixed order after name of command and only after all nameless argument values any named arguments can be given ARGUMENTS are sequence of argument names like user print brief without paging For arguments that take values argument name is followed by followed by value of argument Variable substitution command substitution and expressions are allowed only for PATH_ARGUMENT and command argument values Prefix path command name and argument names can only be given directly as a word So put 1 AP lt 2 is valid and Tipun s Tt 3 is not Grouping level commands It is possible to execute several commands from the same comma
343. etherl receive v2 send v2 authentication none authentication key prefix list in none prefix list out non admin MikroTik routing rip interface gt Note that the ether2 does not need to be enabled if no propagation of RIP information is required into the Remote network The routes obtained by RIP can be viewed in the routing rip route menu MikroTik routing rip gt route print Flags S static R rip O ospf C connect B bgp 0 R dst address 0 0 0 0 0 gateway 10 0 0 26 metric 2 from 10 0 0 26 1 dst address 10 0 0 0 24 gateway 0 0 0 0 metric 1 from 0 0 0 0 2 C dst address 192 168 0 0 24 gateway 0 0 0 0 metric 1 from 0 0 0 0 3 R dst address 192 168 1 0 24 gateway 10 0 0 26 metric 1 from 10 0 0 26 4 R dst address 192 168 3 0 24 gateway 10 0 0 26 metric 1 from 10 0 0 26 fadmin MikroTik routing rip gt The regular routing table is MikroTik routing rip gt ip route print Flags X disabled I invalid D dynamic J rejected connect S static R rip O ospf B bgp DST ADDRESS G GATEWAY DISTANCE INTERFACE O R 0 0 0 0 0 r 10 0 0 26 120 etherl 1 R 192 168 3 0 24 r 10 0 0 26 120 etherl 2 R 192 168 1 0 24 r 10 0 0 26 120 etherl 3 DC 192 168 0 0 24 r 0 0 0 0 0 ether2 4 DC 10 0 0 0 24 r 0 0 0 0 0 etherl fadmin MikroTik routing rip gt As we can see the MikroTik router has learned RIP routes from the Cisco router The Configuration of the Cisco Router Ci
344. etting the Service Set Identifier up to 32 alphanumeric characters In our case we use ssid mt 2 Setting the allowed data rates at 1 11Mbps and the basic rate at 1Mbps 3 Choosing the frequency in our case we use 2442MHz 4 Setting the identity parameters ip address mask and gateway These are required if you want to access the AP remotely using telnet or http MikroTik RouterOS V2 6 Reference Manual 183 Prismll Wireless Client and Wireless Access Point Manual 5 If you use CISCO Aironet Wireless Ethernet Bridge or Access Point you should set the Configuration Radio I180211 Extended Allow proprietary extensions to off and the Configuration Radio I8021 1 Extended Encapsulation Default encapsulation method to RFC1042 If left to the default on and 802 1H respectively you won t be able to pass traffic through the bridge Note Please note that the AP is not a router It has just one network address and is just like any host on the network It resembles a wireless to Ethernet HUB or bridge The AP does not route the IP traffic The minimum configuration for the MikroTik router s prism wireless interface is 1 Setting the Service Set Identifier to that of the AP i e mt 2 The Operation Mode should be station admineMikroTik admineMikroTik interface prism gt set 0 ssid mt interface prism gt monitor 0 status connected to ess data rate 11Mbps ssid mt bssid 00 40 96 56 E2 AD signal qualit
345. f all PPP type connections including PPTP For more information on PPP authentication see the General Point to Point Settings manual Contents of the Manual The following topics are covered in this manual e Installation e Hardware Resource Usage e PPTP Protocol Description e PPTP Client Setup e PPTP Server Setup e PPTP Router to Router Secure Tunnel Example e Connecting a Remote Client via PPTP Tunnel e PPTP Setup for Windows Links Sample instructions for PPTP VPN installation and client setup Windows 98se e Troubleshooting e Additional Resources Installation The pptp 2 6 x npk package and the ppp 2 6 x npk are required The package can be downloaded from MikroTik s web page www mikrotik com To install the packages please upload them to the router with ftp and reboot You may check to see if the PPTP and PPP packages are installed with the command system package print Hardware Resource Usage PPTP uses a minimum amount of memory RouterOS V2 6 is tested to have approximated encrypted throughput of 60Mb s on a Celeron 600MHz CPU MikroTik RouterOS V2 6 Reference Manual 164 Point to Point Tunnel Protocol PPTP PPTP Protocol Description Though the following may sound complex our implementation of PPTP is easy to setup and manage PPTP is a secure tunnel for transporting IP traffic using PPP PPTP encapsulates PPP in virtual lines that run over IP PPTP incorporates PPP and MPPE Microsoft Point
346. face gt put sd90039 2d1h40s admineMikroTik interface gt In console integers are internally represented as 64 bit signed numbers so the range of variable values can be from 9223372036854775808 to 9223372036854775807 It is possible to input them as hexadecimal numbers by prefixing with Ox admin MikroTik interface gt put 0x123ABCDEF4567890 1313569907099990160 fadmin MikroTik interface gt admineMikroTik gt Lists are written as comma separated sequence of values Putting whitespaces around commas are not recommended because it might confuse console about word boundaries admin MikroTik gt foreach i in 1 2 3 do put Si 2 3 admin MikroTik gt foreach i in 1 2 3 do put Si ERROR no such argument 2 admin MikroTik gt Truth values are written as either true or false Console also accepts yes for true and no for false Internal numbers begin with Time intervals are written as sequence of numbers that can be followed by letters specifying the units of time measure The default is second Numbers may have decimal point It is also possible to use the HH MM SS notation Here are some examples admin MikroTik gt put 1000s 16m40s admin MikroTik gt put day day day 3d admin MikroTik gt put 1 5hours 1h30m admin MikroTik gt put 1 15 1h15m admin MikroTik gt put 0 3 2 05 3m2s50ms admin MikroTik gt Accepted time u
347. face type ansi ccitt MikroTik RouterOS V2 6 Reference Manual 132 MOXA C101 Synchronous Interface ignore dcd Ignore DCD yes no line protocol Line protocol cisco hdlc frame relay sync ppp mtu Maximum Transmit Unit 68 1500 bytes Default value is 1500 bytes name New interface name You can monitor the status of the synchronous interface admin MikroTik interface synchronous gt monitor 0 dtr yes rts yes Cts no dsr no dcd no admin MikroTik interface synchronous gt If you purchased the MOXA C101 Synchronous card from MikroTik you have received a V 35 cable with it This cable should work for all standard modems which have V 35 connections For synchronous modems which have a DB 25 connection you should use a standard DB 23 cable Connect a communication device e g a baseband modem to the V 35 port and turn it on If the link is working properly the status of the interface is admineMikroTik interface synchronous gt monitor 0 dtr yes rts yes cts yes dsr yes dcd yes admineMikroTik interface synchronous gt The MikroTik driver for the MOXA C101 Synchronous adapter allows you to unplug the V 35 cable from one modem and plug it into another modem with a different clock speed and you do not need to restart the interface or router Troubleshooting e The synchronous interface does not show up under the interfaces list Obtain the required license for synch
348. fault value is 1500 bytes mode Operation mode of the card infrastructure ad hoc rts threshold RTS threshold fragmentation threshold Fragmentation threshold tx power Transmit power in mW rx antenna Receive antenna both default left right tx antenna Transmit antenna both default left right long retry limit Long retry limit short retry limit Short retry limit frequency Channel frequency 2412MHz 2422MHz 2484MHz bitrate Data rate 11Mbit s 1Mbit s 2Mbit s 5 5Mbit s auto apl Access Point 1 ap2 Access Point 2 ap3 Access Point 3 ap4 Access Point 4 ssidl Service Set Identifier 1 ssid2 Service Set Identifier 2 ssid3 Service Set Identifier 3 modulation Modulation mode cck default mbok client name Client name join net Beaconing period arp Address Resolution Protocol one of the disabled the interface will not use ARP protocol enabled the interface will use ARP protocol proxy arp the interface will be an ARP proxy see corresponding manual 4 reply only the interface will only reply to the requests originated to its own IP addresses but neighbour MAC addresses will be gathered from ip arp statically MikroTik RouterOS V2 6 Reference Manual 88 CISCO Aironet 2 4GHz 11Mbps Wireless Interface set table only You can monitor the status of the wireless interface admin
349. ference Manual 311 IP Route Management admin MikroTik ip policy routing gt table from_netl print Flags X disabled I invalid D dynamic R rejected TYPE DST ADDRESS NEXTHOP S GATEWAY DISTANCE INTERFACE 0 static 0 0 0 0 0 A 10 0 0 1 1 Public admin MikroTik ip policy routing gt table from_net2 print Flags X disabled I invalid D dynamic R rejected TYPE DST ADDRESS NEXTHOP S GATEWAY DISTANCE INTERFACE 0 static 0 0 0 0 0 A 10 0 0 2 1 Public admin MikroTik ip policy routing gt 3 Create rules that will direct traffic from sources to given tables and arrange them in the desired order admin MikroTik ip policy routing gt rule admin MikroTik ip policy routing rule gt print Flags X disabled I invalid SRC ADDRESS DST ADDRESS INTERFACE ACTION TABLE 0 0 0 0 0 0 0 0 0 0 0 all lookup main admin MikroTik ip policy routing rule gt add src address 1 1 1 1 32 action lookup table main admin MikroTik ip policy routing rule gt add src address 2 2 2 1 32 action lookup table main admin MikroTik ip policy routing rule gt add src address 1 1 1 0 24 action lookup table from_netl admin MikroTik ip policy routing rule gt add src address 2 2 2 0 24 action lookup table from_net2 admin MikroTik ip policy routing rule gt print Flags X disabled I invalid SRC
350. fic that uses small packet sizes of around 100 bytes M3P features e enabled by a per interface setting e other routers with MikroTik Discovery Protocol enabled will broadcast M3P settings e significantly increases bandwidth availability over some wireless links by approximately four times e offer configuration settings to customize this feature Contents of the Manual The following topics are covered in this manual e Installation e Hardware Resource Usage e MikroTik Packet Packer Protocol Description e MikroTik Packet Packer Protocol Setup Installation The MikroTik Packet Packer Protocol feature is included in the system package No installation is needed for this feature Hardware Resource Usage There is no significant resource usage MikroTik Packet Packer Protocol Description The wireless protocol IEEE 802 11 and to a lesser extent Ethernet protocol have a high overhead per packet because for each packet it is necessary to access the media check for errors resend in case of errors and send network maintenance messages network maintenance is only for wireless The MikroTik Packet Packer Protocol improves network performance by aggregating many small packets into a big packet thereby minimizing the network per packet overhead cost The M3P is useful when the average packet size 1s 50 300 bytes the common size of VoIP packets Specific Properties e may work on any Ethernet like media e is enabl
351. file default 12 protocol x75bui bundle 128K no fadmin MikroTik interface isdn server gt Argument description name Interface name mtu Maximum Transmit Unit mru Maximum Receive Unit msn MSN EAZ of ISDN line provided by the line operator 12 protocol Level 2 protocol to be used authentication Use authentication mschap2 chap pap profile profile to use when connecting to the server bundle 128K Use Both channels instead of just one Example of a printout of configured ISDN server interface is here Troubleshooting e The driver could not be loaded or the client server don t work There are some older motherboards which don t support isdn cards Try to change the motherboard e The ISDN channels do not show up in the isdn channel list Check if you have loaded the driver with the driver add command and if you have the isdn and the ppp packages installed e The ISDN client does not connect the isdn server doesn t answer a call Check if you have specified the msn and phone correctly ISDN Examples The following examples of ISDN applications are discussed below e ISDN Dial out e ISDN Dial in e ISDN Backup ISDN Dial out Dial out ISDN connections allow a local router to connect to a remote dial in server ISP s via ISDN Let s assume you would like to set up a router that connects your local LAN with your ISP via ISDN line First you should load the corresponding ISDN card
352. firewall rule customer gt add protocol udp comment Allow UDP connections admin MikroTik ip firewall rule customer gt add protocol icmp comment Allow ICMP messages admin MikroTik ip firewall rule customer gt add protocol tcp tcp option syn only dst address 192 168 0 17 32 80 comment Allow http connections to the server at 192 168 0 17 admin MikroTik ip firewall rule customer gt add protocol tcp tcp option syn dst address 192 168 0 17 32 25 comment Allow smtp connections to the server at 192 168 0 17 admin MikroTik ip firewall rule customer gt add protocol tcp tcp option syn Sre port 20 dst port 1024 65535 MikroTik RouterOS V2 6 Reference Manual Firewall Filters and Network Address Translation NAT comment Allow ftp data connections from servers on the Internet admin MikroTik ip firewall rule customer gt add action reject log yes comment Reject and log everything else admin MikroTik ip firewall rule customer gt print Flags X disabled I invalid 0 jj Allow established TCP connections src address 0 0 0 0 0 0 65535 in interface all dst address 0 0 0 0 0 0 65535 out interface all protocol tcp icmp options any any tcp options non syn only connection state established flow src mac address 00 00 00 00 00 00 limit count 0 limit burst 0 limit time 0s action accept log no 1 jj
353. flict with record 7 111 DD conflict with record 1 22 DD conflict with record 2 wheal DD conflict with record 3 Regional Settings Regional settings are used to adjust the voice port properties to the PSTN system or the PBX For example to detect hang up from line there has to be correct regional setting for the LineJACK card there must be correct busy tone frequency and busy tone cadence set for region which this LineJACK card uses Without that detect cpt parameter for LineJACK s voice port has to be set to true Regional settings are managed under the ip telephony region menu admin MikroTik ip telephony region gt print Flags P predefined 0 P name us data access arrangement us dial tone frequency 350x0 440x0 busy tone frequency 480x0 620x0 busy tone cadence 500 500 500 500 ring tone frequency 480x0 440x0 ring tone cadence 2000 4000 1 P name uk data access arrangement uk dial tone frequency 350x0 440x0 busy tone frequency 400x0 busy tone cadence 375 375 375 375 ring tone frequency 400x0 450x0 ring tone cadence 400 200 400 2000 MikroTik RouterOS V2 6 Reference Manual 285 IP Telephony 2 P name france data access arrangement france dial tone frequency 440x0 busy tone frequency 440x0 busy tone cadence 250 250 250 250 ring tone frequency 440x0 ring tone cadence 1500 3500 3 P name germany data access arrangement germany dial tone frequency 425x0 busy
354. for additional configuration of OSPF specific interface parameters admin MikroTik routing ospf gt interface add interface ether2 admin MikroTik routing ospf gt interface print 0 interface ether2 cost 1 priority 1 authentication key retransmit interval 5s transmit delay 1s hello interval 10s MikroTik RouterOS V2 6 Reference Manual 336 Open Shortest Path First OSPF Routing Protocol dead interval 40s admin MikroTik routing ospf gt Argument description interface interface on which rus OSPF all sets the defaults that will be used for all the interfaces not having specific settings authentication key Authentication key to be used by neighboring routers that are using OSPF s simple password authentication cost Interface cost 1 65535 expressed as the link state metric dead interval Interval after which a neighbor is declared dead The interval is advertised in the router s hello packets This value must be the same for all routers and access servers on a specific network hello interval The interval between hello packets that the router sends on the interface The smaller the hello interval the faster topological changes will be detected but more routing traffic will ensue This value must be the same for all routers on a specific network priority Router priority 0 255 It helps determine the designated router for the network When two routers attached to a network both attempt to be
355. for certain IP addresses protocols or ports The queuing is performed for packets leaving the router through a physical interface It means that the queues should always be configured on the outgoing interface regarding the traffic flow If there is a desire to limit the traffic arriving at the router then it should be done at the outgoing interface of some other router But in some cases you can use firewall rule that simply drop packets when traffic matching this rule exceeds some value Contents of the Manual The following topics are covered in this manual e Installation e How Queues Work e Configuring Simple Queues e Queue Types e Setting Default Queue Type for the Interface e Configuring Queue Trees e Troubleshooting e Queue Applications Example of Emulating a 128k 64k Line Example of Using Masquerading Example of Guaranteed Quality of Service e Additional Resources Links on Class Based Queuing CBQ Links on Random Early Detection RED e More Complete Information about Traffic Control Installation The queue management feature is included in the system software package No additional software package installation is needed for this feature MikroTik RouterOS V2 6 Reference Manual 322 Queues and Bandwidth Management How Queues Work There are four types of simple queues implemented in RouterOS PFIFO BFIFO SFQ and RED This chapter explains difference between these types and introduces queue trees
356. from 10 0 0 204 What would you like to do with this file sssvevsvenszeezenssenssnensnserenenantsezesusesnnsazecnneesagesanesenensevensesenerenenzeeeet y i Save this program to disk Always esk beoe openmu his ype ahne Cancel More Info Accept the security warning if any Security Warning x Do you want to install and run winbox exe from 10 0 0 204 The publisher cannot be determined due to the problems ow Authenticode signature not found Alternatively you can save the winbox exe program to your disk and run it from there The winbox exe program opens the Winbox login window Login to the router by specifying the IP address user name and password for example 5 RouterOS WinBox Ma E3 Connect To 10 0 0 204 y Login admin Password cmo Watch the download process of Winbox plugins MikroTik RouterOS V2 6 Reference Manual 13 Accessing the Router Remotely Using Web Browser and WinBox Console m 10 0 0 204 RouterOS WinBox Downloading plugins from 10 0 0 204 Estimated time left 7 sec 820 45 kb of 2 57 Mb copied Transter rate 246 1 kb sec The Winbox console is opened after the plugins have been downloaded Ls admin 10 0 0 204 WinBox EN List Spana R a 1500 R lt pether2 Ethemet 1500 f A lt 4pether3 Ethemet 1500 e Em A 4pether Ethernet 1500 R PetherS Ethemet 1500 een Nicer ey ooo R synel Moxa C101 1500 DHCP Cien
357. fter reboot you will see the new licensing information for example admineMikroTik system license gt print software id M61X UPT key PSJ5 FG3 BCD upgradeable until dec 01 2002 admin MikroTik system license gt Copyright 1999 2002 MikroTik MikroTik RouterOS V2 6 Reference Manual 373 Log Management Document revision 19 Nov 2002 This document applies to MikroTik RouterOS v2 6 Overview Various system events and status information can be logged Logs can be saved in a file on the router or sent to a remote server running a syslog daemon MikroTik provides a shareware Windows Syslog daemon which can be downloaded from www mikrotik com Topics covered in this manual e Installation e Hardware Resource Usage e Log Management Description e Log Management Examples Installation The Log Management feature is included in the system package No installation is needed for this feature Hardware Resource Usage There is no significant resource usage Log Management Description The logging feature sends all of your actions on the router to a log file or to a logging daemon Router has several global configuration settings that are applied to logging Logs have different facilities Logs from each facility can be configured to be discarded logged locally or remotely General settings for logging facility can be configured in the system logging menu admin MikroTik system logging gt print default remote
358. gs dns cache ipsec web proxy HTTP proxy telephony IP Telephony interface export admin MikroTik gt ip The list of available commands and menus has short descriptions next to the items You can move to the desired menu level by typing its name and hitting the Enter key for example admin MikroTik gt Base level menu admin MikroTik gt driver Enter driver to move to the driver level menu admin MikroTik driver gt Enter to move to the base level menu from any level admin MikroTik gt interface Enter interface to move to the interface level menu admin MikroTik interface gt ip Enter ip to move to the IP level menu from any level admin MikroTik ip gt A command or an argument does not need to be completed if it is not ambiguous For example instead of typing interface you can type just in or int To complete a command use the Tab key The commands may be invoked from the menu level where they are located by typing its name If the command is in a different menu level than the current one then the command should be invoked using its full or relative path for example admin MikroTik ip route gt print Prints the routing table admin MikroTik ip route gt address print Prints the IP address table admin MikroTik ip route gt ip address print Prints the IP address table The commands may have arguments The arguments have their names and values Some argu
359. gt To export the setting on the display use the same command but without the file argument admin MikroTik ip address gt export from 0 2 ip address add address 10 5 5 244 24 network 10 5 5 244 broadcast 10 5 5 255 interface etherl comment disabled no add address 10 5 5 246 32 network 10 5 5 246 broadcast 10 5 5 246 interface ether1 comment disabled no admin MikroTik ip address gt To load the saved export file use the following command admineMikroTik gt import file name addressl rsc admineMikroTik gt O Copyright 1999 2002 MikroTik MikroTik RouterOS V2 6 Reference Manual 365 Backup and Restore Document revision 19 Nov 2002 This document applies to MikroTik RouterOS v2 6 The configuration backup can be used for backing up MikroTik RouterOS configuration to a binary file which can be stored on the router or downloaded from it using ftp The configuration restore can be used for restoring the router s configuration from a backup file For exporting configuration or part of it to a text script file and importing it please refer to the configuration export and import section of the MikroTik RouterOS Manual Topics covered in this manual e Installation e Hardware Resource Usage e Backup and Restore Description e Backup and Restore Examples Installation The Backup and Restore features are included in the system package No installation is needed for this feature Hardware Res
360. hardware e RSV V 35 RSV models with 1 or 2 RS 232 V 35 interfaces on standard DB25 M 34 connector 5Mbps internal or external clock e T1 E1 TE models with 1 or 2 T1 E1 G 703 interfaces on standard RJ48C connector Full Fractional internal or external clock e X 21 X21 models with 1 or 2 X 21 on standard DB 15 connector 8Mbps internal or external clock For more information about the Cyclades PCI Adapter hardware please see the relevant documentation e http www cyclades com products svrbas pe300 php The product on line documentation e Cyclades PC300 Installation Manual The Installation Manual in pdf format Contents of the Manual The following topics are covered in this manual e Adapter Hardware and Software Installation Software Packages Software License System Resource Usage Installing the Synchronous Adapter Loading the Driver for the Cyclades PC300 PCI Adapter e Interface Configuration e Troubleshooting e RSV V 35 Synchronous Link Applications Adapter Hardware and Software Installation Software Packages The MikroTik Router should have the cyclades software package installed The software package file cyclades 2 6 x npk can be downloaded from MikroTik s web page www mikrotik com To install the package please upload the correct version file to the router and reboot Use BINARY mode ftp transfer After successful installation the package should be listed under the installed software packages
361. hbor Discovery Protocol MNDP e when older version on the RouterOS are upgraded from a version without discovery to a version with discovery current Ethernet like interfaces will not be automatically enabled for MNDP e uses UDP protocol port 5678 e a UDP packet with router info is broadcasted over the interface every 60 seconds e every 30 seconds the router checks if some of the neighbor entries are not stale e if no info is received from a neighbor for more than 180 seconds the neighbor information is discarded MikroTik Discovery Protocol Setup IP MikroTik Packet Packer Protocol management can be accessed under the ip neighbor submenu admin MikroTik ip neighbour gt print print values of item properties find finds items by value get get value of item s property interfac interfaces export admin MikroTik ip neighbour gt print INTERFACE ADDRESS MAC ADDRESS UNPACKING AGE 0 Public 10 5 8 196 00 E0 C5 BC 12 07 yes 23s 1 Public 109 0 167 00 E0 4C 39 23 31 yes Os 2 Public 10 581 00 80 C8 C9 B0 45 yes 3s admin MikroTik ip neighbor gt Argument description interface local interface to which the neighbor is connected address IP address of the neighbor router mac address MAC address of the neighbor router unpacking identifies if the interface of the neighbor router is unpacking Packed Packets age a counter in seconds that shows the age of the informa
362. he interface Public If the gateway was specified incorrectly the value for the argument interface would be unknown Note that you cannot add two routes to the same destination i e destination address netmask It applies to the default routes as well Instead you can enter multiple gateways for one destination For more information on IP routes please read the relevant topic in the Manual If you have added an unwanted static route accidentally use the remove command to delete the unneeded one Do not remove the dynamic D routes They are added automatically and should not be deleted by hand If you happen to then reboot the router the route will show up again Testing the Network Connectivity From now on the ping command can be used to test the network connectivity on both interfaces You can reach any host on both connected networks from the router MikroTik RouterOS V2 6 Reference Manual 18 Configuring Basic Functions admin MikroTik ip route gt ping 10 0 0 4 10 0 0 4 64 byte pong ttl 255 time 7 ms 10 0 0 4 64 byte pong ttl 255 time 5 ms 10 0 0 4 64 byte pong ttl 255 time 5 ms 3 packets transmitted 3 packets received 0 packet loss round trip min avg max 5 5 6 7 ms admin MikroTik ip route gt admin MikroTik ip route gt ping 192 168 0 1 192 168 0 1 64 byte pong tt1 255 time lt l ms 192 168 0 1 64 byte pong tt1 255 time lt l ms 192 168 0 1 64 byte pong tt1 255 time lt l ms 3 packets tr
363. he main table is routing table that can be changed by issuing commands in the ip route menu A new table can be added admin MikroTik ip policy routing gt add name mt admin MikroTik ip policy routing gt print Flags D dynamic NAME 0 karlis 1 D main admin MikroTik ip policy routing gt Routes in a routing table can be added removed changed in ip policy routing table _table name_ menu where _table name_ is name of the table admin MikroTik ip policy routing gt table mt admin MikroTik ip policy routing table mt gt add dst address 10 5 5 0 24 gateway 10 0 0 22 admin MikroTik ip policy routing table mt gt print Flags X disabled I invalid D dynamic R rejected TYPE DST ADDRESS G GATEWAY DISTANCE INTERFACE 0 static 10 5 5 0 24 E tOr Ou 022 1 Public MikroTik ip policy routing table mt gt The main table is the same as one in ip route admin MikroTik ip policy routing gt table main admin MikroTik ip policy routing table main gt print Flags X disabled I invalid D dynamic R rejected TYPE DST ADDRESS G GATEWAY DISTANCE INTERFACE MikroTik RouterOS V2 6 Reference Manual 310 IP Route Management 0 static 192 168 1 0 24 r 192 168 0 50 1 Local 1 static 0 0 0 0 0 r 10 0 0 1 1 Public 2D connect 192 168 0 0 24 r 0 0 0 0 0 Local 3 D connect 10 0 0 0 24 r 0 0 0 0 0 Public admineMikro
364. he current accounting table the current accounting table is cleared and starts accounting data anew The snapshot image can be made in two ways An image of traffic data can be made manually by issuing the ip accounting snapshot take command from the terminal console or WinBox The snapshot can then be viewed with the ip accounting snapshot print command The traffic data from the telnet terminal console will appear admin MikroTik ip accounting snapshot gt print SRC ADDRESS DST ADDRESS PACKETS BYTES SRC USER DST USER 0 10 0 0 4 159 148 147 198 6589 517850 LO se 250 1 05 06 0721 64 307403 19673792 2 10 0 0 161 TOs Ta 23290 307403 19673792 3 159 148 147 198 10 0 0 4 6589 680894 4 10 0 0 99 159 148 147 194 213 12700 The web page report makes it possible to use the standard Unix Linux tool wget to collect the traffic data and save it to a file If the web report is enabled and the web page is viewed the snapshot will be made when the wget or standard browser connection is initiated to the web page The snapshot will then be displayed on the web page TCP protocol used by http connections with the wget tool guarantees that none of the traffic data will be lost The snapshot image will be made when the connection from wget is initiated Web browsers or wget should connect to URL http routerIP accounting ip cgi Note that ip cgi has different value order src address dst address bytes packets src user dst u
365. he remote server to use for dialout password P2P user password on the remote server to use for dialout profile local profile to use for dialout phone phone number for dialout tone dial defines whether use tone dial or pulse dial mtu Maximum Transmit Unit Maximum packet size to be transmitted mru Maximum Receive Unit null modem enable disable null modem mode when enabled no modem initialization strings are sent Default value is off for COM1 and COM2 only So by default null modem is turned off modem init Modem Initialization String dial on demand enable disable dial on demand add default route add PPP remote address as a default route use peer dns use DNS server settings from the remote server If the PPP client is configured properly and it has established a connection to the server you can 1 Monitor the connection using the interface ppp client monitor command 2 See the ppp out interface under the interface print list 3 See the dynamic IP address under the ip address print list 4 Optionally See the dynamic default route under the ip route print list Example of an established connection admin MikroTik interface ppp client gt monitor test uptime 4h35s encoding none status Connected admin MikroTik interface ppp client gt Description of display MikroTik RouterOS V2 6 Reference Manual 158 Point to Point Protocol PPP and Asynchrono
366. he requests originated to it but neighbor MAC addresses will be gathered from ip arp statically set table only disable running check for broken Ethernet cards it is good to disable running status checking as default For almost all interfaces it is possible to monitor the interface status for example admineMikroTik interfac thernet gt monitor ether2 status link ok auto negotiation done rate 100Mbps full duplex yes admineMikroTik interfac thernet gt Please see the relevant interface Manual for more information O Copyright 1999 2002 MikroTik MikroTik RouterOS V2 6 Reference Manual 66 Atheros 5GHz 54Mbps Wireless Interface Document revisions 18 Jan 2003 V2 6 9 allows setting the supported rate to specific values This document applies to the MikroTik RouterOS V2 6 Overview The MikroTik RouterOS supports the Atheros chipset based wireless adapter cards for working both as wireless clients station mode and wireless access points ap bridge or bridge mode For more information on the Atheros advantages see e http www atheros com pt index html e http www mt lv Documentation manual_ 2 6 Interface http www atheros com A therosRangeCapacityPaper pdf For more information about adapter hardware please see the relevant User s Guides and Technical Reference Manuals of the hardware manufacturers Contents of the Manual The following topics are covered in this manual e Supp
367. hed from the router as type 1 as type 2 no redistribute static if set the router will redistribute the information about all static routes added to its routing database i e routes that have been created using the ip route add command of the router as type 1 as type 2 no redistribute rip If set the router will redistribute the information about all routes learned by the RIP protocol as type 1 as type 2 no redistribute bgp If set the router will redistribute the information about all routes learned by the BGP protocol as type 1 as type 2 no distribute default Controls how to propagate the default route to other routers 4 never do not send own default route to other routers if installed as type 1 or type 2 send the default route only if it has been installed a static default route or route added by DHCP PPP etc always as type 1 or type 2 always send the default route metric default cost of the default route metric connected cost of connected routes metric static cost of static routes metric rip cost of the routes learned by the RIP protocol metric bgp cost of the routes learned by the BGP protocol Note that within an area only the router that is connected to an another AS i e border router should have the propagation of the default route enabled Note on metrics OSPF protocol will try to use the shortest path path
368. hen threshold reaches red min threshold mark randomly with increasing probability as threshold rising Maximum probability is used when traffic reaches red max threshold mark Then packets are simply thrown away burst parameter is the number of packets allowed to burst through the interface when the link is empty generally value of min min max 3 works fine The minimum value that can be used here is equal to the value of red min threshold Classful queues are very useful if you have different kinds of traffic which should have differing treatment Generally we can set only one queue on the interface but in RouterOS even simple queues known as classless queues are attached to the main attached to the root which represent physical interface Class Based Queue CBQ and thus have some properties derived from that parent queue With classful queues it is possible to deploy hierarchical queue trees For example we can set a maximum bandwidth for a workgroup and then distribute that amount of traffic between the members of that group as we can do with simple queues attached to the main CBQ but with upper limit Each queue represents a virtual interface with the allowed bandwidth It can be borrowed from sibling queues queues that are children of one queue if we set bounded to no If we set bounded to yes the queue can not occupy bandwidth of other queues If set to no the queue would use over the allocated bandwidth whenever possible Only
369. her2 ether 1500 2 X ether3 ether 1500 admin MikroTik gt interface enable 0 fadmin MikroTik gt interfac nabl ther3 admin MikroTik gt interface print Flags X disabled D dynamic R running NAME TYPE MTU 0 etherl ether 1500 1 R ether2 ether 1500 2 R ether3 ether 1500 admineMikroTik gt You can monitor the traffic passing through any interface using the interface monitor command admin MikroTik interface gt monitor traffic ether6 received packets per second 271 received bytes per second 148 4kbps sent packets per second 600 sent bytes per second 6 72Mbps admineMikroTik interface gt For some Ethernet NICs it is possible to blink the LEDs for 10s Type interface ethernet blink ether1 and watch the NICs to see the one which has blinking LED In interface ethernet submenu it is possible to set ethernet interface specific parameters admineMikroTik interfac thernet gt print Flags X disabled R running NAME TU MAC ADDRESS ARP O R etherl 1500 00 50 08 00 00 F5 enabled admin MikroTik interfac thernet gt print detail Flags X disabled R running O R name etherl mtu 1500 mac address 00 50 08 00 00 F5 arp enabled disable running check yes admineMikroTik interfac thernet gt set 0 changes properties of one or several items arp Address Resolution Protocol disable running check disabled mtu Maximum Trasfer Unit nam New interfac
370. here is a match the route is used The prefix lists are used when specifying the BGP peers under routing bgp peer or RIP interfaces under routing rip interface An empty prefix list permits all prefixes To add a prefix list use the routing prefix list add command for example admin MikroTik routing prefix list gt add name cybernet admin MikroTik routing prefix list gt print NAME DEFAULT ACTION O cybernet accept admineMikroTik routing prefix list gt Argument description name Name for the prefix list default action Default action for all members of this list accept reject The list members can be added using the routing prefix list list _listname_ add command for example MikroTik RouterOS V2 6 Reference Manual 351 Routing Prefix Lists admin MikroTik routing prefix list gt list cybernet admin MikroTik routing prefix list list cybernet gt add prefix 172 16 0 0 A prefix length 16 admin MikroTik routing prefix list list cybernet gt print PREFIX PREFIX LENGTH ACTION 0 172 16 0 0 0 16 accept admin MikroTik routing prefix list list cybernet gt Argument description prefix network prefix e g 198 168 0 0 prefix length length range of the network prefix in bits e g 16 24 action action for the list member accept reject You can add as many members to the list as required Note that there are two different values to match prefix
371. hold 256 enabled yes Description of arguments enabled Traffic accounting is disabled by default threshold The threshold setting sets the maximum number of IP pairs for the traffic accounting table see Threshold settings for more information on the optimal settings The default setting is for 256 IP pairs Traffic data description Only IP traffic is accounted As each packet passes through the router the packet source and destination is matched to an IP pair in the accounting table and the traffic for that pair is increased User data for PPP PPTP PPPoE and ISDN connections are accounted too If no matching IP or user pair exists a new entry to the table will be created Both the number of packets and number of bytes are accounted Only packets that enter and leave the router are counted Packets that are dropped in the router are not counted Packets that are sent from the router itself are not counted such as packets used for administration connections 1 e web and telnet connections to the router Packets that are masqueraded with the router will be accounted for with the actual IP addresses on each side Packets that are going through bridged interfaces i e inside the bridge interface are also accounted correctly See Traffic Display and collection for a printout of a snapshot For example a TCP connection between two computers with traffic going through the router will cause two IP pairs to be added to the tr
372. hrough the PPTP tunnel now Copyright 1999 2002 MikroTik MikroTik RouterOS V2 6 Reference Manual 350 Routing Prefix Lists Document revision 21 Aug 2002 This document applies to MikroTik RouterOS V2 6 Overview Prefix lists are used to filter routes received from or sent to other routers Topics covered in this manual e Prefix List Installation on the MikroTik RouterOS e Prefix List Setup Prefix List Installation on the MikroTik RouterOS The plist 2 6 y npk package is required The package can be downloaded from MikroTik s web page www mikrotik com To install the package please upload one to the router with ftp and reboot You may check to see if the package is installed with the command admin MikroTik gt system package print Flags I invalid NAME VERSION BUILD TIME UNINSTALL 0 system 2 6betal aug 09 2002 20 22 14 no 1 rip 2 6betal aug 09 2002 20 33 41 no 2 ppp 2 6betal4 aug 09 2002 20 28 01 no 3 plist 2 6betal aug 09 2002 20 32 58 no 4 pppoe 2 6betal aug 09 2002 20 29 18 no 5 pptp 2 6betal aug 09 2002 20 28 43 no 6 ssh 2 6beta4 aug 09 2002 20 25 31 no 7 advanced tools 2 6beta4 aug 09 2002 20 53 37 no 7 bgp 2 6betal aug 09 2002 20 34 22 no 9 ipsec 2 6betal aug 09 2002 20 24 51 no 10 ospf 2 6betal aug 09 2002 20 34 08 no fadmin MikroTik gt Prefix List Setup Filtering by prefix list involves matching the prefixes of routes with those listed in the prefix list When t
373. ia 187 MT child Configuration cee ereas inen iana S E E nono A iae aaiae 188 Supported Prism M Hardware no neie oo ro ea E E E EEE E EE EES 189 RadioLAN 5 8GHz Wireless Interfacc ssscccsssssscsssssscssssscccsssscccsssscccssssccccssscccssssccecessccccssssccessssceecees 191 ONE A it ar 191 Contents of the Martial ii isiscccssiscdesasaderardeavas esla ea a iaeiei 191 Wireless Adapter Hardware and Software InstallatiQM oooonncnnnnnnninncnnnnccnoncnonncononnacnnacnnonocancccnncnonnos 191 Software Packages weiss occas rE EEEa e EETAS seid aashacdebh evs AEE AE AERE esse 191 RYO AAS Li ord BIS 1101 R E TE EE E EE E TEA 192 System Resource Usage eiie A OEE dad 192 Installing th Wireless Adapteri t i e E E cose a E a a a 192 Loading the Driver for the Wireless Adapter ooooonncconnnccnnncccnocacnonccnnnnononccnnncnnnnannnnccnnn conc ccnnnnn ns 193 Wireless Interface Configuration ciseteccsciis civsssssiesecansseensesutvesuccdedtecesn eden snes sin OEA OTETA A aa 193 Wireless Troubleshooting meca psi inicie 196 NACER IS NR 196 Point to Point Setup with Routing cece cccccesssecseeceeeeeeesecesaeceeaaeceeeeceeeeeeaeeeaecseaaeceaeeeeeeeees 196 Virtual LAN CV LAN Unite rface sits ciics ccecsecccsisecccccseccauestenvesodectstsossiessossebessossscscesecveccseureadesttsteessctsceuseseceedee 197 VEL VI CW ish RO TE ieee 197 Contents ofthe Mana drid 197 still A A sae pe Satie it ba eae 197 Hardware Resource Us aora 197
374. icated PC Router with MikroTik RouterOS After installing the router and starting it up for the first time you will be given a Software ID 1 Write down the Software ID reported by the RouterOS 2 If you have an account with MikroTik follow to the next step If you do not have an account at www mikrotik com just press the New button on the upper right hand corner of the MikroTik s web page to create your account Account Server Login Password Log in New h You will be presented with the Account Sign Up Form where you chose your account name and fill in the required information To obtain the Software License Key log on to your account at www mikrotik com entering your account name and password upper right hand corner on this webpage for example uy Account Server Login ismith Password New 4 After logging on to the Account Server select Free Demo License or Order Software License in the Account Menu Note The CD or Netinstall installation cannot be unlocked with the Free Demo Key Use the Floppy installation or purchase the License Key The Software Key will be sent to the email address which has been specified in your account setup 6 Read your email and enter the Software Key at the router s console for example Nn Software ID 5T4V IUT Software key 4N7X UZ8 6SP MikroTik RouterOS V2 6 Reference Manual 6 Setting up MikroTik RouterOS Instead of
375. id of backup designated router for this neighbor Running OSPF After configuring OSPF on a number of interconnected routers dynamic routes should appear in the ip route print list admin MikroTik ip route gt print Flags X disabled I invalid D dynamic J rejected connect S static R rip O ospf B bgp DST ADDRESS G GATEWAY DISTANCE INTERFACE O S our default gateway 0 0 0 0 0 r 10 0 0 1 1 etherl 1 DC 192 168 0 0 24 r 0 0 0 0 0 ether4 2 DO 10 10 10 0 24 r 10 10 1 1 110 ether2 3 DC 10 10 1 0 24 r 0 0 0 0 0 ether2 4 DC 10 0 0 0 24 r 0 0 0 0 0 etherl admin MikroTik routing ospf gt In this case we have one one route connected through 10 10 1 1 router item 2 As current router distributes its routes too including default one in 10 10 1 1 router we have admin Remote gt ip route print Flags X disabled I invalid D dynamic J rejected Cc connect S static R rip O ospf B bgp DST ADDRESS G GATEWAY DISTANCE INTERFACE 0 DO 0 0 0 0 0 r 10 10 1 2 110 etherl 1 DO 192 168 0 0 24 r 10 10 1 2 110 etherl 2 DC 10 10 10 0 24 P 03 0 050 0 radiolanl 3 DC 10 10 1 0 24 r 0 0 0 0 0 etherl MikroTik RouterOS V2 6 Reference Manual 338 Open Shortest Path First OSPF Routing Protocol 4 DO 10 5 5 0 24 r 10 10 1 2 110 etherl 5 DO 10 0 0 0 24 r 10 10 1 2 110 etherl admin Remote gt OSPF Troubleshooting e OSPF does not work on point
376. idge ssid br8 frequency 5300MHz root ap XX XX XX XX Xx xx and enable atheros1 interface you can use mode ap bridge if you have Atheros AP License interface atheros set atherosl mode bridge ssid br8 frequency 5300MHz rTOOt ap XX XX XX XX xx xx disabled no Here substitute the xx xx xx xx xx xx with MAC address of MT parent atheros interface Check your setup and see if you have successfully registered to the root AP Its MAC address should be listed as parent ap in the registration table of atheros interface for example W admin MT child interface atheros gt registration table print INTERFACE MAC ADDRESS TYPE PARENT O atheros1l 00 06 AB 00 37 8E parent ap admin MikroTik interface atheros gt 4 Add bridge interface and specify forwarded protocol list interface bridge add forward protocols ip arp other disabled no 5 Specify ports atheros1 and ether1 that belong to bridgel interface bridge port set etherl atherosl bridge bridgel 6 Assign IP address 10 0 0 218 24 to the bridgel interface ip address add address 10 0 0 218 24 interface bridgel 7 Set default route to 10 0 0 1 ip route add gw 10 0 0 1 Note that both LANs should use IP addresses from the same network 10 0 0 0 24 Both MikroTik routers belong to the same network too You should be able to ping through the wireless bridge from one LAN to other and to gateway 10 0 0 1 Supported Hardware This is the lis
377. ie RADIUS attributes additionally included in Stop and Interim Update Accounting Request packets Acct Session Time connection uptime in seconds Acct Input Octects bytes received from the client Acct Input Packets packets received from the client Acct Output Octets bytes sent to the client Acct Output Packets packets sent to the client Stop Accounting Request packets can additionally have Acct Terminate Cause session termination cause described in RFC2866 Ch 5 10 RADIUS Servers Suggested MikroTik RouterOS RADIUS CLIENT should work well with all RFC compliant servers It has been tested with Vircom RADIUS http www vircom com Livingston RADIUS 2 1 _http www livingston com PPPoE Bandwidth Setting For local authentication this can be set in the ppp profile menu with the tx bit rate and rx bit rate values identical to bits s For Radius authentication the account of each user in the radius server should be set with Parameter Ascend Data Rate vendor id 529 attribute id 197 in bits s PPP Troubleshooting e am using RADIUS authentication After abnormal connection loss between the PPP or PPTP or PPPoE client and MikroTik server I cannot reconnect because of wrong username password The problem might be in the RADIUS server which has kept the client state as connected If only one connection per client is allowed the second connection is not authenticated e My link between the PPPoE cli
378. ient DHCP Client only with dhcp package 80 tcp World Wide Web HTTP Change under ip service 123 tcp Network Time Protocol Only with ntp package 161 tcp SNMP Only with snmp package 500 udp IKE protocol Only with ipsec package 179 tcp Border Gateway Protocol Only with bgp package 1719 udp h323gatestat Only with telephony package 1720 tcp h323hostcall Only with telephony package 1723 tcp pptp Only with pptp package 2000 tcp bandwidth test server 3986 tcp proxy for winbox 3987 tcp sslproxy for secure winbox Only with ssh package 5678 udp MikroTik Neighbor Discovery 8080 tcp HTTP Alternate Only with web proxy package can be changed FL ICMP Internet Control Message 4 IP IP in IP encapsulation 47 GRE General Routing Encapsulation Only for pptp and eoip 50 ESP Encap Security Payload for IPv6 Only with ipsec package 51 AH Authentication Header for IPv6 Only with ipsec package 89 OSPFIGP OSPF Interior Gateway Protocol MikroTik RouterOS V2 6 Reference Manual 313 Services Protocols and Ports O Copyright 1999 2002 MikroTik MikroTik RouterOS V2 6 Reference Manual 314 WEB Proxy Document revision 22 Oct 2002 This document applies to the MikroTik RouterOS V2 6 Overview The MikroTik RouterOS has the squid proxy server implementation Proxy server features e Regular http proxy e Transparent proxy Can be transparent and regular at the same
379. ies of the XP PPPoE client If the service name is not set or it does not match the service name of the MikroTik PPPoE server you get the line is busy errors or the system shows verifying password unknown error e I want to have logs for PPPoE connection establishment Configure the logging feature under the system logging facility and enable the PPP type logs Additional Resources Links for PPPoE documentation e http www ietf org rfc rfc2516 txt e http www cisco com univercd cc td doc product software ios120 120newft 1 20limit 120dc 120dc3 pppoe e http www carricksolutions com PPPoE Clients e RASPPPOE for Windows 95 98 98SE ME NT4 2000 XP NET http user cs tu berlin de normanb Copyright 1999 2002 MikroTik MikroTik RouterOS V2 6 Reference Manual 163 Point to Point Tunnel Protocol PPTP Document revision 28 Dec 2002 This document applies to the MikroTik RouterOS V2 6 Overview PPTP Point to Point Tunnel Protocol supports encrypted tunnels over IP The MikroTik RouterOS implementation includes a PPTP client and a PPTP server General usage of PPTP tunnels e For secure router to router tunnels over the Internet e To link bridge local Intranets or LANs when EoIP is also used e For mobile or remote clients to remotely access an Intranet LAN of a company see PPTP setup for Windows for more information Our RouterOS has a RADIUS client that can be used for authentication o
380. iew Local P2P authentication is part of the general user database stored on the router this database is also responsible for administration authentication for the router Certain attributes are supported for P2P users e P2P remote address set from RADIUS server e Time limit of connections set from RADIUS server e MAC address PPPoE or remote client address PPTP reported to RADIUS server e System identity e Traffic accounting PPP style no IP pairs Local Authentication Management of P2P Users P2P users are configured in ppp secret and ppp profile PPP Profile With PPP installation one default profile is created PPP profiles are used to define default values to users managed in ppp secret submenu Settings in ppp secret override corresponding ppp profile settings except in one case when local address or remote address are configured in both ppp secret and ppp profile but in one of them ip pool is referred concrete IP addresses always take precedence PPP profiles are configured as follows admin MikroTik ppp profile gt print Flags default 0 name default local address 0 0 0 0 remote address 0 0 0 0 session timeout 0s idle timeout 0s use compression no use vj compression yes us ncryption no require encyrption no only one no tx bit rate 0 rx bit rate 0 incoming filter outgoing filter admin MikroTik ppp profile gt Argument description name profile name local
381. ik Fi MikroTik RouterOS V2 6 Reference Manual 31 Scripting Manual Document revision 29 Nov 2002 This document applies to the MikroTik RouterOS V2 6 Overview Scripting gives the administrator a way to execute console commands by writing a script for the router which is executed on the basis of time or events that can be monitored on the router Some examples of uses of scripting could be setting bandwidth settings according to time In RouterOS v2 6 a script may be started in three ways e according to a specific time or an interval of time e on an event for example if the netwatch tool sees that an address does not respond to pings e by another script To write a script the writer must learn all of the console commands described in the relevant documentation Scripts may be written for the System Scheduler see relevant manual the Traffic Monitoring Tool see relevant manual and for the Netwatch Tool Contents of the Manual e Scripts e Network Watching Tool e Writing Scripts Console scripting introduction Command Grouping level commands 4 Variables Changing variable values Command substitution return values Expressions Value types Colon commands Monitor commands Get commands e More on syntax Scripts The scripts are stored under system script Use the add command to add a new script The following example is a script for writing message kuku to the system log
382. ik RouterOS ccccccccccccononoconocononononononanananananananana nono no nan na nananona 351 TDS ASA NO RR 351 Routing Information Protocol RIP ssccsssccsssccsssssssscssssscsssssssssscssssssssessescssessssscscnssossessssascosssesssaecs 353 OALE aA A ATT E li dit est acagssoasbdeseasd bdgessddawteleadada lacdeeeagbectesancadeasestewaaeaees 353 RIP Installation on the MikroTik RouterOSl cccccccccccccccncnononoconococononononanonononanananananana nana conocio narra nanonon 353 RIP Rout Set it 353 RIP Interface Setup riin an si inde ie ae ie A en ee eee 354 RIP A cid aaa bed 355 RIPROQUIES Es EA SETI TI RENO GIG a a hs Ea GN eh BOER to ta 356 Additional ResQUICES id aet 356 RIP EX amples A A A A AAA 356 The Configuration of the MikroTik RouteL ooonconnnnccnnnccnonccononaconnccnnonononccnnnccononannn nc nnnn conc ccnnncn ns 357 The Configuration of the Cisco Ruter nie onrein iiie ee akes nc anar nc ii 358 Border Gateway Protocol BGP Routing Protocol 360 COV EEVIC Wi fo A A ER a ad eR iN eee Leis ila io 360 Contents Of the Manada Neva a a tet hend Sows dE AAA a At hae 360 Installation eds io 360 Hardware Resource UE neono at ia vies apes E es dai aid rd airis 361 BGE Descrip isis lili ias 361 BGE Setup triada AA a E S da 361 Setting the Basic BGP Configuration eee ececsseceesecececeseeeeeceesaeceeaeeeeeeeceaeeeaeeseaaecseaeceeeeeesas 361 BGP Network ii asi 362 MikroTik RouterOS V2 6 Reference Manual xiv
383. ikroTik interface ppp server gt enable 0 admin MikroTik interface ppp server gt monitor test user uptime Os encoding status Waiting for call admin MikroTik interface ppp server gt Description of settings port Serial port authentication Authentication protocol One or more of mschap2 chap pap Encrypted links are only supported when ms chapv2 is selected This is a feature of the protocol It is suggested that only mschap2 is selected unless there is a special situation which requires an unencrypted link profile profile name for the link mtu Maximum Transmit Unit Maximum packet size to be transmitted mru Maximum Receive Unit null modem Enable Disable null modem mode when enabled no modem initialization strings are sent Default value is off for COM1 and COM2 only So by default null modem is turned off modem init Modem Initialization String ring count Number of rings to wait before answering phone name Interface name for reference When dialing in the users can be authenticated locally using the local user database in the user menu or at the RADIUS server specified in the ip ppp settings PPP Client Setup PPP profiles must match at least partially local address and values connected with encryption should match with corresponding remote server values The PPP client management can be accessed under the interface ppp client submenu You can ad
384. in from client 133 bytes out to client 15 packets in from client 9 packets out to client Authentication using RADIUS Server RADIUS Overview RADIUS authentication gives the ISP or network administrator the ability to manage P2P user access and accounting from one server throughout a large network The MikroTik RouterOS has a RADIUS client which can authenticate for PPP PPPoE and PPTP connections no ISDN remote access support currently Features supported e PPP remote address set from RADIUS server e Time limit of connections set from RADIUS server e MAC address PPPoE or remote client IP address PPTP reported to RADIUS server e System identity e Traffic accounting PPP style no IP pairs Note that if RADIUS server is used then resulting settings for the client are taken from the RADIUS server and from the default profile so that settings received from the RADIUS server will always override corresponding settings taken from the default profile RADIUS Client Setup To use RADIUS client enable it and set the appropriate parameters admin MikroTik ppp radius client gt set enabled yes primary server 10 10 1 1 shared secret us admin MikroTik ppp radius client gt print enabled yes accounting yes MikroTik RouterOS V2 6 Reference Manual 149 General Point to Point Settings primary server 10 10 1 1 secondary server 0 0 0 0 shared secret users authentication port 1812 accounting port
385. ing 1D Type IP Subnet y Subnet fro Mask 255 2552550 Port far Protocol far IV Connect using Secure Gateway Tunnel y ID Type IP Address fi 0 0 0 204 Click here to find out about program add ons Connection Security select Secure in Remote Party Identity And Addressing box MikroTik RouterOS V2 6 Reference Manual 270 IPsec ID Type select IP Subnet Subnet enter 1 1 1 0 Mask enter 255 255 255 0 check Connect using select Secure Gateway Tunnel ID Type select IP Address enter below 10 0 0 204 Configure pre shared key select correct interface to connect to 10 0 0 204 router with the proper address 10 0 0 81 Security Policy Editor SonicWALL PN Client File Edit Options Help als xal 14 Network Security Policy H 2 My Connections My Identity E dep my connection i Pre Shared Key O hiy Identity Select Certificate tA Security Policy None y B E Authentication Phase 1 1D Type Port 5 O Proposal 1 ir address y far a E B 35 Key Exchange Phase 2 IP Address ha Al E EA Proposal 1 100081 Ap Other Connections Virtual Adapter Disabled X Intemal Network IP Address foo 0 0 j Internet Interface Name E Realtek RTL8139 Family PCI Fast Ethernet y IP Addr 110 0 0 81 in My Identity box Select Certificate select None click Pre Shared Key Pre Shared Key pops up Pre Shared Key a xx Enter Pre Shared
386. ing the system shutdown command admin MikroTik system gt shutdown Shutdown yes y N y system will shutdown promptly For most systems it is necessary to wait approximately 30 seconds for a safe power down Configuration Reset The reset command clears all configuration of the router and sets it to the default including the login name and password admin and no password admin MikroTik system gt reset Dangerous Reset anyway y N The router is rebooted after the reset command Router Identity The router identity is displayed before the command prompt It is also used for DHCP client as host name parameter when reporting it to the DHCP server The router identity can be set using the system identity set command admin MikroTik system identity gt print name MikroTik admin MikroTik system identity gt set name Our_GW admin Our_GW system identity gt Date and Time Settings The system Date and Time settings are managed under the system clock menu admin MikroTik system clock gt print time aug 09 2002 21 27 29 time zone 03 00 admin MikroTik system resource gt To set the system date and time use the set command admin MikroTik system clock gt set MikroTik RouterOS V2 6 Reference Manual 388 System Resource Management Set new system date or time date New system date month DD YYYY time New system time HH MM SS time zone Local time zone admin MikroTik system cl
387. ing the License License management can be accessed under the system license menu admin MikroTik system license gt print software id M61X UPT key 7CJH BD6 UXK upgradeable until apr 01 2002 admin MikroTik system license gt set Set the new Software Key feature Unlocked router features print Show license information get get value of property admin MikroTik system license gt Here the upgradeable until means the date until which software can be upgraded to higher versions To see the software features that are enabled with the current license use the following command admin MikroTik system license gt feature print Flags X disabled FEATURE X AP synchronous X radiolan wireless 2 4gHz 4 licensed admin MikroTik system license gt WNrR Oo Here we see that the software has full license not the demo version and the 2 4GHz Wireless and Synchronous features are enabled MikroTik RouterOS V2 6 Reference Manual 372 License Management Obtaining Additional License Features To enable additional MikroTik RouterOS software features or to enable upgrading if it has expired a new Software Key should be obtained from the Account Server at www mikrotik com The new Software Key should be supplied to the router and the system should be rebooted admin MikroTik system license gt set key PSJ5 FG3 BCD admin MikroTik system license gt system reboot Reboot yes y N y A
388. ing with an IEEE 802 11b access point register to the AP you should set the following parameters The Service Set Identifier It should match the ssid of the AP e The Operation Mode of the card should be set to infrastructure e The Data Rate of the card should match one of the supported data rates of the AP Data rate auto should work for most of the cases All other parameters can be left as default To configure the wireless interface for registering to an AP with ssid MT_w_AP it is enough to change the argument value of ssid to MT_w_AP admin MikroTik interface wavelan gt set 0 ssid MT_w_AP mode infrastructure fadmin MikroTik interface wavelan gt monitor wavelanl bssid 00 40 96 42 0C 9C frequency 2437MHz data rate 11Mbit s ssid MT_w_AP signal quality 65 signal level 228 noise 163 admineMikroTik interface wavelan gt Wireless Troubleshooting e The wavelan interface does not show up under the interfaces list Obtain the required license for 2 4GHz wireless feature e The wireless card does not register to the AP Check the cabling and antenna alignment e I get the wireless interface working and registering to the AP but there is no data transmitted I cannot ping the AP This is IRQ conflict See the special notice for PCMCIA PCI adapter users under the Wireless Adapter Installation instructions above Wireless Network Applications Two possible wireless network configurations are discussed in the
389. inks in standard mode 26 is fine Maximum for 802 11a standard mode is 204 microseconds maximum for the PTP Turbo and Turbo mode is 102 microseconds For example a 4km link works fine with ack time 70 Station Mode Configuration To set the wireless interface working with an IEEE 802 11a access point register to the AP you should set the following parameters e The Service Set Identifier It should match the SSID of the AP e The Operation Mode of the card should be set to station All other parameters can be left as default To configure the wireless interface for registering to an AP with ssid testing it is enough to change the argument value of ssid to testing and to enable the interface admin MikroTik interface atheros gt set atherosl ssid testing admineMikroTik interface atheros gt enable atherosl admin MikroTik interface atheros gt pr Flags X disabled R running 0 name atheros1 mtu 1500 mac address 00 06 AB 00 37 8B arp enabled mode station root ap 00 00 00 00 00 00 frequency 5240MHz ssid testing supported rates 6Mbps 9Mbps 12Mbps 18Mbps 24Mbps 36Mbps 48Mbps 54Mbps basic rates 6Mbps protocol 802 11 standard ack time 100 default authentication yes default forwarding yes max clients 2007 admineMikroTik interface atheros gt New in V2 6 9 You can limit the maximum data rate of a client depending on the RF link quality to say 36Mbps by specifying the client to work up to tha
390. ion 01 Oct 2002 This document applies to the MikroTik RouterOS V2 6 Overview SNMP is a network protocol that allows managing many network devices from one location MikroTik RouterOS supports SNMPv2 Simple Network Management Protocol version 2 as defined by RFC 1592 Installation of the SNMP package makes the router an SNMP agent The MikroTik RouterOS supports e SNMPv2 only e Read only access is provided to the NMS network management system e User defined communities are supported e No Trap support Contents of the Manual The following topics are covered in this manual e Installation e Hardware Resource Usage e SNMP Setup 4 SNMP Communities e Tools for SNMP Data Collection and Analysis e Example of using MRTG with Mikrotik SNMP e Additional Resources Installation The snmp 2 6 x npk less than 150KB package for installation of SNMP is required The package can be downloaded from MikroTik s web page www mikrotik com To install the package please upload it to the router with ftp and reboot See if you have the required software package installed using the system package print command Hardware Resource Usage When the SNMP is enabled it uses approximately 2MB of RAM When using SNMP memory usage estimates should be made system resources should be monitored and RAM should be increased accordingly SNMP Setup SNMP management can be accessed under the snmp menu Use the set command to configure
391. ion of the item copy from item number disabled interfac Interface nam netmask Network mask network Network prefix admin MikroTik ip address gt add address 192 168 0 254 24 interface Local admin MikroTik ip address gt print Flags X disabled I invalid D dynamic ADDRESS NETWORK BROADCAST INTERFACE 0 192 168 0 254 24 192 168 0 0 192 168 0 255 Local admin MikroTik ip address gt Description of the arguments address local IP address can be in the form address mask where mask is number of bits in the subnet mask netmask network mask to be used with the network prefix Must be in the decimal form a b c d network optional network prefix to be used with the address It shows what network can be reached through the interface with the given IP address If not specified will be calculated from local address and network mask For point to point links should be the address of the remote end broadcast optional broadcast address to be used with the address If not specified will be calculated from local address and network mask interface name of the interface the address will be used with Address Resolution Protocol ARP Address Resolution Protocol is used to map IP address to MAC layer address Router has a table of currently used ARP entries Normally table is built dynamically but to increase network security static entries can be added The ARP management can be acce
392. ip dhcp server add name hs_temp interface prisml lease time 12s address pool temp netmask 255 255 255 0 gateway 192 168 0 1 dns server 159 148 60 2 159 148 108 1 domain mt lv add arp yes disabled no Add hotspot server setup for logged in IP addresses 00 ip hotspot server add name hs_dhcp dhcp server hs_temp address pool hspot Y netmask 255 255 255 0 gateway 10 5 50 1 9 Add local hotspot user ip hotspot user add name ax password ex 10 Setup hotspot service to run on port 80 www service has to be assigned another port e g 8081 ip service set www port 8081 ip service set hotspot port 80 Note Changing www service to other port than 80 requires thet you specify the new port when connecting to MikroTik router using WinBox e g use 10 5 50 1 8081 in this case MikroTik RouterOS V2 6 Reference Manual 243 HotSpot Gateway 11 redirect all TCP requests from temporary IP addresses to hotspot service ip firewall dst nat add src address 192 168 0 0 24 protocol tcp action redirect to dst port 80 comment redirect unauthorized hotspot clients to hotspot service 12 Allow DNS requests and ICMP ping from temporary addresses and reject everything else ip firewall rule forward add src address 192 168 0 0 24 protocol icmp ip firewall rule forward add src address 192 168 0 0 24 protocol udp dst port 53 ip firewall rule forward add src address 192 168 0 0 24 action reject comment reject access for unauthor
393. is script local variables introduced by local or created by for or foreach global variables introduced by global in short all variables that can be used from the current script are listed under heading Local Variables admineMikroTik gt environment print Global Variables gl this is global variable Local Variables gl this is global variable 1l this is local variable counter 2 MikroTik RouterOS V2 6 Reference Manual 44 Scripting Manual fadmin MikroTik gt This can be useful in debugging scripts or just for figuring out how variables work in console Suppose we don t want to use variable g1 anymore admin MikroTik gt unset gl admineMikroTik gt environment print Global Variables gl this is global variable Local Variables 1l this is local variable counter 2 admin MikroTik gt put gl ERROR unknown variable gl admineMikroTik gt Here although such global variable still exists and we can get it back with global gl command it is unknown because we have told current script to forget about it admin MikroTik gt global gl admin MikroTik gt put gl this is global variable admineMikroTik gt Monitor commands It is possible to access values that are shown by most monitor commands from scripts If monitor command has do argument it can be supplied either script name see system scripts or console commands If do argument is present monitor command will e
394. is set to 0 0 0 0 under the ip dns settings To enable DHCP client on Mikrotik router specify the interface for it for example admin MikroTik ip dhcp client gt set enabled yes interface etherl admin MikroTik ip dhcp client gt print enabled yes interface etherl client id add default route yes Descriptions of arguments enabled Enables or disables the DHCP client yes no interface Can be set to any Ethernet like interface this includes wireless and EoIP tunnels client id optional It should correspond to the settings suggested by the network administrator or ISP add default route defines whether to add the default route to the gateway specified by DHCP server yes no To show obtained leases use lease print command for example admin MikroTik ip dhcp client gt lease print address 80 232 241 15 21 expires oct 20 2002 09 43 50 gateway 80 232 240 1 primary dns 195 13 160 52 secondary dns 195 122 1 59 admin MikroTik ip dhcp client gt To renew current leases use the renew command If the renew operation was not successful client tries to reinitialize lease i e it starts lease request procedure as it has not received an IP address yet DHCP Server Setup The router supports an individual server for each Ethernet like interface The MikroTik RouterOS DHCP server supports the basic functions of giving each requesting client an IP address netmask lease default ga
395. it at 64000 bounded yes max burst 0 admin MikroTik queue tree gt print Flags X disabled I invalid D dynamic 0 name Server parent Public flow Serv_Up limit at 0 max burst 20 queue default priority 8 weight 1 allot 1514 bounded no 1 name Workst parent Public flow Local all limit at 64000 max burst 0 MikroTik RouterOS V2 6 Reference Manual 330 Queues and Bandwidth Management queue default priority 8 weight 1 allot 1514 bounded yes admin MikroTik queue tree gt Thus we used queue trees for limiting the upload Use the same simple queues as in the previous example for limiting the download Example of Guaranteed Quality of Service This example shows how to limit bandwidth on a channel and guarantee minimum speed to the FTP server allowing other traffic to use the rest of the channel Assume we want to emulate a 128k download and 64k upload line connecting IP network 192 168 0 0 24 as in the previous examples But if these speeds are the best that you can get from your Internet connection you may want to guarantee certain speeds to the 192 168 0 17 server so that your customers could download from and upload to this server with the speeds not dependent on the other traffic using the same channel for example we will guarantee this server the speed of 32k for each flow direction First of all you should limit the interface speed admin MikroTik queue tree gt add name Up parent Public limit a
396. itches and Cisco routers that can not be managed in band by telnet through an IP network Another situation describes a need to monitor weather reporting equipment through a serial console Another situation described a connection to a high speed microwave modem that needed to be monitored and managed by a serial console connection With the serial terminal feature of the MikroTik one to thirty four devices can be monitored and controlled using serial expansion cards from more than two devices The serial console was tested and found working with e PLANET FNSW 16005 Ethernet Smart Switch e Cisco 1005 e US Robotics Courier V Everything Modem e MikroTik RouterOS O Copyright 1999 2002 MikroTik MikroTik RouterOS V2 6 Reference Manual 384 Support Output File Document revision 12 Aug 2002 This document applies to MikroTik RouterOS v2 6 The support file is used for debugging MikroTik RouterOS and to solve the support questions faster All MikroTik Router information is saved in a binary file which is stored on the router and can be downloaded from the router using ftp Topics covered in this manual e Installation e Hardware Resource Usage e Support File Description e Example of Making Support Output File Installation The Support file feature is included in the system package No installation is needed for this feature Hardware Resource Usage There is no significant resource usage Support File
397. ity RF links limit the maximum data rate of a client by specifying the supported rate argument for example set supported rate 6Mbps 12Mbps 36Mbps Wireless Network Applications Theree possible wireless network configurations are discussed in the following examples e Wireless Client e Wireless Access Point e Wireless Bridge Wireless Client Let us consider the following point to multipoint network setup with MikroTik with Atheros Wireless Interface in AP bridge mode as a wireless bridge and MikroTik Wireless Router as a client Were i i rigge eee e frequency 5180 Internet A Internet address 10 0 0 250 24 Gateway 10 0 0 1 5 GHz Wireless Network 54 Mbps Y 10 0 0 0 24 A interface atheros1 ssid1 mt Wireless Router 1 mode station MikroTik address 10 0 0 217 24 O y interface ether address 192 168 0 254 24 Local Network 192 168 0 0 24 O A gt Workstation Laptop 192 168 0 1 192 168 0 2 The wireless bridge is connected to the wired network s HUB and has IP address from the network 10 0 0 0 24 See below for the wireless bridge configuration The minimum configuration for the MikroTik router s atheros wireless interface is 1 Setting the Service Set Identifier to that of the AP i e mt 2 The Operation Mode should be station admineMikroTik interface atheros gt set 0 ssid mt admineMikroTik interface atheros gt monitor 0 MikroTik RouterOS V2 6 R
398. ized hotspot clients 13 Add hotspot chain ip firewall add name hotspot 14 Pass all through going traffic to hotspot chain ip firewall rule forward add action jump jump target hotspot If client has obtained temporary address its lease is shown as admin HotSpot_GW gt ip dhcp server lease print Flags X disabled D dynamic H hotspot ADDRESS MAC ADDRESS EXPIRES A SERVER STATUS 0D 192 168 0 254 00 40 96 13 B3 47 8s hs_temp bound admin HotSpot_GW gt After successful authentication its DHCP address is changed and it is listed under active hotspot users admin HotSpot_GW gt ip dhcp server lease print Flags X disabled D dynamic H hotspot ADDRESS MAC ADDRESS EXPIRES A SERVER STATUS O DH 10 5 50 2 00 40 96 13 B3 47 56s hs_temp bound admin HotSpot_GW gt ip hotspot active print USER ADDRESS UPTIME SESSION TIMEOUT IDLE TIMEOU 0 ax 110 5 50 2 2m25s admin HotSpot_GW gt ip hotspot active print stats USER UPTIME BYTES IN BYTES OUT PACKETS IN PACKETS 0U 0 ax 13m26s 145268 264282 475 494 admin HotSpot_GW gt User statistics show accumulated values prior to current session admin HotSpot_GW gt ip hotspot user print stats Flags X disabled NAME UPTIME BYTES 1N BYTES OUT PACKETS IN PACKETS 0OUT 0 ax 6m29s 9896 31156 80 77 admin HotSpot_GW gt
399. k interface gt print Flags X disabled D dynamic R running NAME TYPE MTU O R etherl ether 1500 1 X ether2 ether 1500 2 X ether3 ether 1500 3 moxa sync 1500 admin MikroTik gt More configuration and statistics parameters can be found under the interface synchronous menu admineMikroTik interface gt synchronous admin MikroTik interface synchronous gt print Flags X disabled 0 name moxa mtu 1500 line protocol cisco hdlc clock rate 64000 clock source tx from rx frame relay 1mi type ansi frame relay dce no cisco hdlc keepalive interval 10s ignore dcd no admin MikroTik interface synchronous gt set changes properties of one or several items lt numbers gt list of item numbers cisco hdlc keepalive interval clock rate clock source disabled frame relay dc Operate in DCE mode frame relay 1mi typ ignore dcd Ignore DCD line protocol Line protocol mtu Maximum Transmit Unit nam New interface nam admin MikroTik interface synchronous gt set Argument description numbers Interface number in the list cisco hdlc keepalive interval Keepalive period in seconds 0 32767 clock rate Speed of internal clock clock source Clock source external internal tx from rx tx internal disabled disable or enable the interface frame relay dce Operate in DCE mode yes no frame relay Imi type Frame Relay Local Management Inter
400. k system resource gt irq print Flags U unused IRQ OWNER T keyboard APIC 2 3 4 sync1 5 pel 6 7 8 U 9 10 ether2 11 etherl y 12 13 FPU 14 IDE 1 admin MikroTik system resource gt io print PORT RANGE OWNER 20 3F APIC 40 5F timer 60 6F keyboard 80 8F DMA AO BF APIC CO DF DMA FO FF FPU 1F0 1F7 IDE 1 300 33F pel 3C0 3DF VGA 3F6 3F6 IDE 1 CF8 CFF PCI confl 1000 100F Silicon Integrated Systems SiS 5513 IDE 1000 1007 IDE 1 1008 100F IDE 2 6000 60FF Realtek Semiconductor Co Ltd RTL 8139 6000 60FF 8139to0 6100 61FF Realtek Semiconductor Co Ltd RIL 8139 2 6100 61FF 8139too admin MikroTik system resource gt Note that the resource list shows only the interfaces 1f they are enabled MikroTik RouterOS V2 6 Reference Manual 61 Device Driver Management Removing Device Drivers Use the driver remove command to remove device drivers Unloading of device driver is useful when changing network devices this can be useful to save system resources in avoiding loading drivers for devices which have been removed from the system Device driver needs to be removed and loaded again if some parameter memory range i o base address has been changed for the adapter card The device drivers can be removed only if the appropriate interface has been disabled Notes on PCMCIA Adapters Currently only the following POMCIA ISA and PCMCIA PCI adapt
401. k RouterOS V2 6 Reference Manual 224 Firewall Filters and Network Address Translation NAT Redirection and Destination NAT Redirection and destination NAT should be used when you need to give access to services located on a private network from the outside world To add a destination NAT rule that gives access to the http server 192 168 0 4 on the local network via external address 10 0 0 217 use the following command admin MikroTik ip firewall dst nat gt add action nat protocol tcp dst address 10 0 0 217 32 80 to dst address 192 168 0 4 admin MikroTik ip firewall dst nat gt print Flags X disabled I invalid 0 src address 0 0 0 0 0 0 65535 in interface all dst address 10 0 0 217 32 80 protocol tcp icmp options any any flow src mac address 00 00 00 00 00 00 limit count 0 limit burst 0 limit time 0s action nat to dst address 192 168 0 4 to dst port 0 65535 admineMikroTik ip firewall dst nat gt Here 1f you want to redirect to the router s local address use action redirect and do not specify the to dst address Understanding REDIRECT and MASQUERADE REDIRECT is similar to regular destination NAT in the same way as MASQUERADING is similar to source NAT masquerading is source NAT except you do not have to specify to src address outgoing interface address is used automatically The same with REDIRECT it is destination NAT where to dst address is not used incoming interface address
402. kroTik RouterOS services It helps you to determine why your MikroTik router listens to certain ports and what you need to block allow if you want to prevent or grant access to the certain services Please see the relevant sections of the Manual for more explanations Complete list of protocol numbers can be found at_http www iana org assignments protocol numbers Complete list of port numbers can be found at_http www iana org assignments port numbers Some service settings can be changed under ip service menu You can specify IP addresses from which the service is accessible for example admin MikroTik ip service gt set www port 8081 address 10 5 0 0 16 admin MikroTik ip service gt print Flags X disabled I invalid NAME PORT ADDRESS 0 telnet 23 0 0 0 0 0 1 ftp 21 0 0 0 0 0 2 WWW 8081 10 5 0 0 16 admin MikroTik ip service gt Below is list of protocols and ports used by MikoTik RouterOS services Some services require additional package to be installed as well as enabling them e g bandwidth server Port Description 20 tcp File Transfer Default Data 21 tcp File Transfer Control Change under ip service 22 tcp SSH Remote Login Protocol Only with ssh package 23 tcp Telnet 53 tcp Domain Name Server Only with dns cache package 53 udp Domain Name Server Only with dns cache package 67 udp Bootstrap Protocol Server DHCP Server only with dhcp package 68 udp Bootstrap Protocol Cl
403. l outgoing SA SPI in hexadecimal May be equal name name of item for reference from policies Note that incoming SPI numbers on one router must match outgoing SPI numbers on another and vice versa Same for keys You can reference same manual sa template from several policies because actual SAs are inserted based on info in policies AH ESP as well as in this template as well as in key config Also each SA is distinguished by its source sa src destination sa dst protocol AH or ESP SPI and direction Proposal To add proposal use ip ipsec proposal add command There is a default proposal admin MikroTik ip ipsec proposal gt print Flags X disabled 0 name default auth algorithms shal enc algorithms 3des lifetime 30m lifebytes 0 pfs group modp1024 admin MikroTik ip ipsec proposal gt Command parameters are auth algorithms allowed algorithms for authorization md5 128 bit key 4 null any key length shal 160 bit key enc algorithms allowed algorithms and key lengths to use for SAs that will be acquired from IKE daemon by policy that references this proposal 3des aes 128 aes 192 aes 256 des null lifebytes how many bytes to encrypt using SA before throwing it out and making new one 0 means SA won t expire based on byte count default lifetime how long to use SA before throwing it out See also proposal check in peer config name name of proposal fo
404. le has to be before redirect to hotspot service rule ip firewall dst nat add dst address x x x x 32 dst port 80 protocol tcp action accept 2 in forward chain accept requests going to your web server this rule has to be before reject access for unauthorized hotspot clients rule ip firewall rule forward add dst address x x x x 32 dst port 80 protocol tcp action accept 4 For HotSpot clients to use transparent web proxy on the same router following configuration can be used 1 make sure web proxy package is installed 2 it is assumed that HotSpot is set up and successfully running Hotspot clients are connected on interface named prisml 3 set up web proxy to run on port 3128 using transparent mode ip web proxy set enabled yes address 0 0 0 0 3128 transparent proxy yes 4 set up HotSpot to use one of router s local IP addresses 10 5 50 1 ip hotspot set hotspot address 10 5 50 1 5 redirect all requests from hotspot interface to port 80 except to 10 5 50 1 to web proxy ip firewall dst nat add in interface prisml dst address 10 5 50 1 32 dst port 80 protocol tcp action redirect to dst port 3128 comment transparent proxy Now everything should be working Only traffic of redirected requests to web proxy will not be accounted It s because this traffic will not pass through the forward chain 6 to enable accounting for user traffic to from transparent web proxy additional firewall r
405. lease note that the AP is not a router It has just one network address and is just like any host on the network It resembles a wireless to Ethernet HUB or bridge The AP does not route the IP traffic The minimum configuration for the MikroTik router s wavelan wireless interface is 1 Setting the Service Set Identifier to that of the AP i e mt 2 Setting the Operation Mode to infrastructure admin MikroTik interface wavelan gt set wavelanl ssid mt mode infrastructure admineMikroTik interface wavelan gt bssid 00 40 96 42 0C 9C frequency 2437MHz data rate 11Mbit s ssid mt signal quality 64 signal level 228 noise 163 admin MikroTik interface wavelan gt The channel frequency argument does not have any meaning since the frequency of the AP is used IP Network Configuration The IP addresses assigned to the wireless interface should be from the network 10 1 1 0 24 e g MikroTik RouterOS V2 6 Reference Manual 206 WaveLAN ORiINOCO 2 4GHz 11Mbps Wireless Interface admin MikroTik ip address gt add address 10 1 1 12 24 interface wavelanl admin MikroTik ip address gt add address 192 168 0 254 24 interface etherl admin MikroTik ip address gt print Flags X disabled I invalid D dynamic ADDRESS NETWORK BROADCAST INTERFACE 0 192 168 0 254 24 192 168 0 0 192 168 0 255 etherl dl 10 1 1 12 24 10 1 1 0 LOs Lo 1625 5 wavelanl admin MikroTik ip address gt The defaul
406. led The software package file radiolan 2 6 x npk can be downloaded from MikroTik s web page www mikrotik com To install the package please upload the correct version file to the router and reboot Use BINARY mode ftp transfer After successful installation the package should be listed under the installed software packages list for example admin MikroTik interface gt system package print Flags I invalid NAME VERSION BUILD TIME UNINSTALL 0 ssh 2 6beta2 jul 05 2002 13 43 42 no 1 radiolan 2 6beta2 jul 05 2002 13 47 46 no 2 system 2 6beta2 jul 05 2002 13 42 26 no 3 vlan 2 6beta2 jul 05 2002 14 13 43 no 4 pptp 2 6beta2 jul 05 2002 13 46 11 no 5 ppp 2 6beta2 jul 05 2002 13 45 40 no 6 pppoe 2 6beta2 jul 05 2002 13 46 40 no admineMikroTik interface gt MikroTik RouterOS V2 6 Reference Manual 191 RadioLAN 5 8GHz Wireless Interface Software License The RadioLAN 5 8GHz wireless adapters require the RadioLAN 5 8GHz wireless feature license One license is for one installation of the MikroTik RouterOS disregarding how many cards are installed in one PC box The wireless feature is not included in the Free Demo or Basic Software License The RadioLAN 5 8GHz Wireless Feature cannot be obtained for the Free Demo License It can be obtained only together with the Basic Software License System Resource Usage Before installing the wireless adapter please check the availability of free IRQ s and I O base addresses
407. less Software License then the RadioLAN 5 8GHz Wireless interface should appear under the interfaces list with the name radiolanX where X is 1 2 You can change the interface name to a more descriptive one using the set command To enable the interface use the enable command admin MikroTik interface gt print Flags X disabled D dynamic R running NAME TYPE MTU O R ether1 ether 1500 1 X radiolanl radiolan 1500 2 X vlani vlan 1500 admin MikroTik interface gt enable radiolanl admin MikroTik interface gt print Flags X disabled D dynamic R running NAME TYPE MTU O R ether1 ether 1500 1 R radiolanl radiolan 1500 2 X vlani vlan 1500 admin MikroTik interface gt More configuration and statistics parameters can be found under the interface radiolan menu admin MikroTik interface radiolan gt print Flags X disabled R running MikroTik RouterOS V2 6 Reference Manual 193 RadioLAN 5 8GHz Wireless Interface O R name radiolanl mtu 1500 mac address 00 A0 D4 20 4B E7 arp enabled card name 00A0D4204BE7 sid bbbb default destination first client default address 00 00 00 00 00 00 distance 0 150m max retries 15 tx diversity disabled rx diversity disabled fadmin MikroTik interface radiolan gt Argument description number Interface number in the list name Interface name mtu Maximum Transmit Unit 68 1900 bytes Default value is 1500 bytes
408. license for synchronous feature e The synchronous link does not work Check the V 35 cabling and the line between the modems Read the modem manual Synchronous Link Applications Two possible synchronous line configurations are discussed in the following examples e MikroTik Router to MikroTik Router e MikroTik Router to CISCO Router MikroTik Router to MikroTik Router Let us consider the following network setup with two MikroTik Routers connected to a leased line with baseband modems MikroTik RouterOS V2 6 Reference Manual 141 MOXA C502 Synchronous Interface Internet interface Public address 10 1 1 12 24 interface moxa Baseband Modem Mien Tk 3 address 1 1 1 2 32 interface wan y 35 MikroTik Baseband Modem address 1 1 1 1 32 interface ether2 address 10 0 0 254 24 interface ether 1 address 192 168 0 254 24 LAN 192 168 0 0 24 LAN 10 0 0 0 24 The driver for MOXA C502 card should be loaded and the interface should be enabled according to the instructions given above The IP addresses assigned to the synchronous interface should be as follows admin MikroTik ip address gt add address 1 1 1 1 32 interface wan network 1 1 1 2 broadcast 255 255 255 255 admin MikroTik ip address gt print Flags X disabled I invalid D dynamic ADDRESS NETWORK BROADCAST INTERFACE 0 10 0 0 254 24 10 0 0 254 VOL 0209 ether2 dl 192 168 0 254 24 192 168 0 254 192 168 0
409. lient will try to renew this address after a half of this time and will request a new address after time limit expires address pool IP pool from which to take IP addresses for clients netmask The netmask to be used by DHCP client gateway The default gateway to be used by DHCP client src address The address which the DHCP client must use to renew an IP address lease If there is only one static address on the DHCP server interface and the source address is left as 0 0 0 0 then the static address will be used If there are multiple addresses on the interface an address in the same subnet as the range of given addresses should be used dns server The DHCP client will use this as the default DNS server Two comma separated DNS servers can be specified to be used by DHCP client as primary and secondary DNS servers domain The DHCP client will use this as the DNS domain setting for the network adapter wins server The Windows DHCP client will use this as the default WINS server Two comma separated WINS servers can be specified to be used by DHCP client as primary and secondary WINS servers add arp defines whether to add dynamic ARP entry If set to no static ARP entries must be in ip arp menu See the IP Addresses and Address Resolution Protocol Manual for more details To monitor the leases issued to DHCP clients use lease print command for example admin MikroTik ip dhcp server gt lease p
410. list for example admin MikroTik gt sys package print Flags I invalid NAME VERSION BUILD TIME UNINSTALL 0 system 2 6beta4 aug 09 2002 20 22 14 no 1 ppp 2 6beta4 aug 09 2002 20 28 01 no 2 moxa c101 2 6betas aug 09 2002 20 53 57 no 3 pppoe 2 6beta4 aug 09 2002 20 29 18 no 4 pptp 2 6beta4 aug 09 2002 20 28 43 no MikroTik RouterOS V2 6 Reference Manual 94 Cyclades PC300 PCI Adapters 5 ssh 2 6beta4 aug 09 2002 6 advanced tools 2 6beta4 aug 09 2002 7 cyclades 2 6beta4 aug 09 2002 8 framerelay 2 6beta4 aug 09 2002 fadmin MikroTik gt Software The Cyclades PC300 PCI Adapter requires the Synchronous Feature License One license is for one installation of the MikroTik RouterOS disregarding how many cards are installed in one PC box The Synchronous Feature is not included in the Free Demo or Basic Software License The Synchronous Feature cannot be obtained for the Free Demo License It can be obtained only together with the Basic Software Lic License ense System Resource Usage 20 2 0 2 05 20 25 37 52 52G 31 37 00 09 no no no Before installing the synchronous adapter please check the availability of free resources admin MikroTik gt system resource irq print Flags U unused IRQ OWNER 1 keyboard 2 APIC U 3 4 serial port U 5 U 6 U 7 U 8 9 etherl U 10 11 Cyclades PC300 U 12 U 13 14 IDE 1
411. llowing sections are included in this Manual e Software Upgrade Instructions e Software Package Installation Instructions e Contents of the Software Packages System Software Package Additional Software Feature Packages e Software Package Resource Usage e Troubleshooting Software Upgrade Instructions Upgrade of the MikroTik RouterOS can be done by uploading the newer version software packages to the router and rebooting it Note The Free Demo License do not allow software upgrades using ftp You should use complete reinstall from floppies or purchase the license Before upgrading the router please check the current version of the system package and of the additional software packages The version of the MikroTik RouterOS system software and the build number are shown before the console login prompt for example MikroTik RouterOS V2 6 Reference Manual 49 Software Package Installation and Upgrading MikroTik v2 6beta4 Login Information about the version numbers and build time of the installed MikroTik RouterOS software packages can be obtained using the system package print command for example admin MikroTik gt system package print Flags I invalid NAME VERSION BUILD TIME UNINSTALL 0 system 2 6betal aug 09 2002 20 22 14 no 1 rip 2 6betal aug 09 2002 20 33 41 no 2 ppp 2 6beta4 aug 09 2002 20 28 01 no 3 plist 2 6betal aug 09 2002 20 32 58 no 4 pppoe 2 6betal aug 09 2002 20 29 18 no 5 pptp 2 6be
412. ls esp level require tunnel yes sa src IP 10 0 1 1 sa dst 10 0 1 2 proposal to_cisco Configuring Cisco Parts from Cisco configuration with comments follow Configure ISAKMP policy phasel config must match configuration of ip ipsec peer on RouterOS Note that DES is default and only encryption algorithm on this Cisco SHAl is default authentication algorithm crypto isakmp policy 10 authentication pre share group 2 Add preshared key to be used when talking to RouterOS crypto isakmp key test_key address 10 0 1 1 Create IPsec transform set transformations that should be applied to traffic ESP encryption with DES and ESP authentication with SHA1 This must match ip ipsec proposal crypto ipsec transform set myset esp des esp sha hmac Create access list that matches traffic that should be encrypted access list 101 permit ip 10 0 2 0 0 0 0 255 10 0 0 0 0 0 0 255 Create crypto map that will use transform set myset use peer 10 0 1 1 to establish SAs and encapsulate traffic and use access list 101 to match traffic that should be encrypted crypto map mymap 10 ipsec isakmp set peer 10 0 1 1 set transform set myset match address 101 And finally apply crypto map to serial interface interface Seriall crypto map mymap Testing After this simply ping from some host in one network to some host in other network after some time 10sec replies should start
413. lse admin MikroTik interface gt put true admineMikroTik interface gt e not equal equal 10 0 2 3 lt 2 0 3 10 100000s gt 27h Compare two values of the same type Arrays are equal if their respective elements are equal admin MikroTik interface gt put false admin MikroTik interface gt put false admin MikroTik interface gt put false admin MikroTik interface gt put ERROR admin MikroTik interface gt MikroTik RouterOS V2 6 Reference Manual 60s 1d 1m 3600s bridge routing yes false true aye cannot compare if truth value is equal to string 40 Scripting Manual e amp amp logical and Il logical or Logical operation on two truth values Result of amp amp is true if both operands are true Result of Il is true if either operand is true fadmin MikroTik interface gt put yes amp amp yes yes amp amp no true admin MikroTik interface gt put no no amp amp no yes false admineMikroTik interface gt e amp bitwise and bitwise or A bitwise xor Bitwise operations on two IP addresses Result is also an IP address admin MikroTik interface gt put 10 16 0 134 amp 255 255 255 0 0 0 0 134 admin MikroTik interface gt e lt lt shift left gt gt shift right Shift IP value left or right by given amount of bits First argument is IP address sec
414. ly the interface will only reply to the requests originated to its own IP addresses and not add dynamic entries to the arp table If required MAC addresses need to be added as static entries under ip arp neighbor mac address MAC address for the interface cannot be changed forward protocols list of forwarded protocols Other means all other protocols than appletalk arp ip ipv6 or ipx e g netbeui vlan etc priority bridge interface priority 0 65535 default 1 The priority argument is used by Spanning Tree Protocol to determine which port remains enabled if two ports form a loop Note that forwarded protocols is a simple filter that also affects the locally destined and locally originated packets So disabling ip protocol you will not be able to communicate with the router from the bridged interfaces Bridge interface should be enabled and ports specified which belong to it Port Settings Bridge interfaces can be associated with physical network interfaces in port submenu admin MikroTik interface bridge port gt print Flags X disabled INTERFACE BRIDGE 0 etherl bridgel 1 ether2 bridgel 2 ether3 bridge2 3 prisml bridge2 admin MikroTik interface bridge port gt MikroTik RouterOS V2 6 Reference Manual 81 Bridge Interface Assume we want to enable bridging between two Ethernet LAN segments and have the MikroTik router be the default gateway for them Internet
415. me isdn out1 mtu 1500 mru 1500 msn 142 user test password test profile default phone 144 12 protocol hdlc bundle 128K no dial on demand no add default route no use peer dns no admin MikroTik interface isdn client gt Argument description name interface name mtu maximum Transmit Unit mru maximum Receive Unit phone phone number to dial msn MSN EAZ of ISDN line provided by the line operator dial on demand use dialing on demand 12 protocol level 2 protocol to be used user user name that will be provided to the remote server password password that will be provided to the remote server add default route add default route to remote host on connect profile profile to use when connecting to the remote server bundle 128K use both channels instead of just one ISDN Server Interface Configuration ISDN server is used to accept remote dial in connections from ISDN clients via ISDN To set up an ISDN dial in connection use the ISDN dial in configuration menu under interface isdn server submenu MikroTik RouterOS V2 6 Reference Manual 123 ISDN Interface ISDN server interfaces can be added using the add command fadmin MikroTik interface isdn server gt add msn 142 bundle 128K no admin MikroTik interface isdn server gt print Flags X disabled R running 0 X name isdn inl mtu 1500 mru 1500 msn 142 authentication mschap2 chap pap pro
416. me of sending the packet out through the interface interface interface through which the gateway can be reached If unknown then the gateway cannot be reached directly or the route has been disabled distance administrative distance of the route When forwarding a packet the router will use the route with the lowest administrative distance and reachable gateway Equal Cost Multipath Routing Equal cost multipath routing feature can be used for load balancing New gateway is chosen for new source destination IP pair This means that for example one FTP connection will use only one link but new connection to different server will use other link This also means that routes to often used sites will always be over the same provider But on big backbones this should distribute traffic fine Also this has another good feature single connection packets do not get reordered and therefore do not kill TCP performance Equal cost multipath routes can be created by routing protocols RIP or OSPF or adding a static route with multiple gateways The routing protocols may create routes with equal cost automatically if the cost of the interfaces is adjusted properly For more information on using the routing protocols please read the corresponding section of the Manual To create a static multipath route specify the gateway argument in the form gateway x x x x y y y y for example admin MikroTik ip route gt print Flags X disa
417. ments that are required may have no name Below is a summary on executing the commands and moving between the menu levels Command Action command Enter Execute the command Show the list of all available commands command Display help on the command and the list of arguments command argument Display help on the command s argument Tab Complete the command word If the input is ambiguous a second Tab gives possible options ove up to the base level command Execute the base level command ove up one level Enter an empty string wordl word2 Enter 2 words that contain a space wu You can abbreviate names of levels commands and arguments For the IP address configuration instead of using the address and netmask arguments in most cases you can specify the address together with the number of bits in the network mask i e there is no need to specify the netmask separately Thus the following two entries would be equivalent ip address add address 10 0 0 1 24 interface etherl MikroTik RouterOS V2 6 Reference Manual Navigating the Terminal Console ip address add address 10 0 0 1 netmask 255 255 255 0 interface etherl However 1f the netmask argument is not specified you must specify the size of the network mask in the address argument even if it is the 32 bit subnet 1 e use 10 0 0 1 32 for address 10 0 0 1 and netmask 255 255 255 255 MikroTik RouterOS V2 6 Reference Manual
418. ments as specified export The export command prints a script that can be used to restore configuration If it has the argument from then it is possible to export only specified items Also if the from argument is given export does not descend recursively through the command hierarchy The export command also has the argument file which allows you to save the script in file on router to retrieve it later via ftp Note that it is not possible to bring back router configuration after reset just from the export scripts Some important things like interface name assignment or user passwords just cannot be saved in export script To back up all configuration use system backup save command enable disable You can enable disable some items like ip address or default route If an item is disabled it is marked with the X flag If an item is invalid but not disabled it is marked with the I flag All such flags if any are described at the top of the print command s output admin MikroTik gt ip route print Flags X disabled I invalid D dynamic J rejected C connect S static R rip O ospf B bgp DST ADDRESS G GATEWAY DISTANCE INTERFACE MikroTik RouterOS V2 6 Reference Manual 30 Terminal Console Manual O S 0 0 0 0 0 1 DC 192 168 1 0 24 2 DC 10 10 10 0 24 3 DC 10 0 0 0 24 admin MikroTik gt BBB OoooRp ether6 ether4 prisml ether6 O Copyright 1999 2001 MikroT
419. mo Software License and Software Licenses without additional features enabled i e Basic Software License without additional packages purchased For unlimited number of users any additional wireless synchronous license is required Thus if you plan to use wireless hotspot the license is already there Hardware Resource Usage There is no significant resource usage How MikroTik HotSpot Gateway Works MikroTik HotSpot Gateway should have at least two network interfaces 1 HotSpot interface which is used to connect HotSpot clients 2 LAN WAN interface which is used to access network resources For example DNS and RADIUS server s should be accessible The diagram below shows sample HotSpot setup Internet Internet HotSpot an Gateway Interface Laptop HotSpot pe Gateway pe a F Interface w wo og Laptop eats Lo gt A Laptop The HotSpot interface should have two IP addresses assigned to it one as gateway for the temporary address pool prior to authentication and second as gateway for the permanent address pool used for authenticated clients Note that you have to provide routing for these address pools unless you plan to use masquerading source NAT MikroTik RouterOS V2 6 Reference Manual 235 HotSpot Gateway The arp feature should be set to reply only on HotSpot interface to prevent network access using static IP addresses The DHCP server will add static ARP entries for each
420. monitor the traffic flow through the interface while doing file transfer use the interface monitor traffic command admin MikroTik interface gt monitor traffic Public once received packets per second 9 received bits per second 4 32kbps sent packets per second 6 sent bits per second 65 58kbps admin MikroTik interface gt monitor traffic Public once received packets per second 7 received bits per second 3 36kbps sent packets per second 10 sent bits per second 65 15kbps admineMikroTik interface gt monitor traffic Public once received packets per second 11 received bits per second 5 66kbps sent packets per second 7 sent bits per second 52 70kbps admineMikroTik interface gt If you want to exclude the server from being limited add two queues for it with limit at 0 no limit and move them to the top admin MikroTik queue simple gt add name Serv_D interface Local dst address 192 168 0 17 32 limit at 0 admin MikroTik queue simple gt add name Serv_U interface Public src address 192 168 0 17 32 limit at 0 admin MikroTik queue simple gt print Flags X disabled I invalid 0 name Down src address 0 0 0 0 0 dst address 0 0 0 0 0 interface Local limit at 128000 queue default priority 8 bounded yes 1 name UP src address 0 0 0 0 0 dst address 0 0 0 0 0 interface Public limit at 64000 queue default priority 8 bounded yes 2 name Serv_D src addre
421. mple MikroTik RouterOS V2 6 Reference Manual 71 Atheros 5GHz 54Mbps Wireless Interface admin MikroTik_AP interface atheros gt registration table print INTERFACE MAC ADDRESS TYPE PARENT SIGNAL TRA 0 atherosl 00 40 63 C0 84 E7 local 1 atherosl 00 06 AB 00 37 8B radio 26 54Mbps 2 atherosl 00 50 08 00 01 33 local 3 atherosl 00 01 24 70 03 58 radio 47 6Mbps admineMikroTik_AP interface atheros gt Argument description for the registration table entry interface interface that client is registered to mac address mac address of the registered client type type of the client radio client registered to the interface local client learned from bridged interface ap client is an access point forward client is forwarded from another access point 4 parent ap the access point this interface is connected to parent parent access point s MAC address if forwarded from another access point signal current signal strength tx rate the actual transmitting data rate of the connection The print stats command give additional per client statistics admin 0 in 1 in MikroTik_AP interface atheros gt registration table print stats terface atherosl mac address 00 40 63 C0 84 E7 type local terface atherosl mac address 00 06 AB 00 37 8B type radio tx rate 54Mbps rx rate 54Mbps packets 182 192 bytes 17840 18642 up 2 in 3 in rx time 00 08 23
422. mss 1448 admin MikroTik ip firewall mangle gt Firewall Chains The firewall filtering rules are grouped together in chains It is very advantageous if packets can be matched against one common criterion in one chain and then passed over for processing against some other common criteria to another chain Let us assume that for example packets must be matched against the IP addresses and ports Then matching against the IP addresses can be done in one chain without specifying the protocol ports Matching against the protocol ports can be done in a separate chain without specifying the IP addresses The Input Chain is used to process packets entering the router through one of the interfaces with the destination of the router Packets passing through the router are not processed against the rules of the input chain The Forward Chain is used to process packets passing through the router The Output Chain is used to process originated from the router and leaving it through one of the interfaces Packets passing through the router are not processed against the rules of the output chain Note that the packets passing through the router are not processed against the rules of neither the input nor output chains When processing a chain rules are taken from the chain in the order they are listed there from the top to the bottom If it matches the criteria of the rule then the specified action is performed on the packet and no more rules are
423. n When encrypted packet is received for local host after dst nat and input filter appropriate SA to decrypt it is looked up using packet source destination security protocol and SPI value If no SA is found packet is dropped If SA is found packet is decrypted Then decrypted packets fields are compared to policy rule that SA is linked to If packet does not match policy rule it is dropped If packet is decrypted fine or authenticated fine it is received once more it goes through dst nat and routing which finds out what to do either forward or deliver locally again Note that before forward and input firewall chains packet that was not decrypted on local host is compared with SPD reversing its matching rules If SPD requires encryption there is valid SA associated with matching SPD rule packet is dropped This is called incoming policy check Internet Key Exchange The Internet Key Exchange IKE is a protocol that provides authenticated keying material for Internet Security Association and Key Management Protocol ISAKMP framework There are other key exchange schemes that work with ISAKMP but IKE is the most widely used one Together they provide means for authentication of hosts and automatic management of security associations SA MikroTik RouterOS V2 6 Reference Manual 257 IPsec Most of the time IKE daemon is doing nothing There are two possible situations when it is activated e Some traffic is caught
424. n RFC2865 Ch 5 22 can be specified as many times as needed firewall filter chain name It is used to make dynamic firewall rule that will jump to specified chain if a packet if come to or from the client Firewall chain name can have suffix in or out that will install rule only for incoming or outgoing traffic Multiple filter id can be provided but only last ones for incoming and outgoing is used MikroTik RouterOS V2 6 Reference Manual 238 HotSpot Gateway Acct Interim Interval interim update for RADIUS client used only if RADIUS client does not have local interim update setting Ascend Data Rate tx rx data rate limitation for PPPoE If multiple attributes are provided first limits tx data rate second rx data rate 0 if unlimited Mikrotik Recv Limit total recv limit in bytes for the client Mikrotik Xmit Limit total transmit limit in bytes for the client Framed IP Netmask client network netmask Ascend Client Gatway client gateway Note that the received attributes override the default ones set in the default profile but if an attribute is not received from RADIUS server the default one is to be used Accounting information sent to server Accounting Request Acct Status Type Satrt Stop or Interim Update Acct Session Id accounting session ID NAS Identifier same as in request User Name same as in request NAS Port Type same as in request NAS Port Id same as in request Calling Station Id
425. n 14s status done testing tx current 11 49Mbps tx 10 second average 10 05Mbps tx total average 7 96Mbps rx current 12 55Mbps rx 10 second average 10 33Mbps rx total average 8 14Mbps fadmin MikroTik tool gt Copyright 1999 2002 MikroTik MikroTik RouterOS V2 6 Reference Manual 405 Dynamic DNS DDNS Update Tool Document revision 20 Aug 2002 This document applies to the MikroTik RouterOS V2 6 Overview Dynamic DNS Update Tool gives a way to keep domain name pointing to dynamic ip address It works by sending domain name system update request to name server which has a zone to be updated Secure DNS updates are also supported Dynamic DNS Update protocol is described in RFC2136 RFC3007 and related documents Contents of the Manual The following topics are covered in this manual e Installation e Hardware Resource Usage e Dynamic DNS Update Description e Dynamic DNS Update Example e Additional Resources Installation The Dynamic DNS Update feature is included in the ddns package The package file ddns 2 6 x npk can be downloaded from MikroTik s web page www mikrotik com To install the package please upload it to the router with ftp and reboot Hardware Resource Usage The feature uses a minimum of resources Dynamic DNS Update Description Dynamic DNS Update is a tool that should be manually run to update dynamic DNS server Note that you have to have dns server that supports dn
426. n MikroTik ip hotspot cookie gt HotSpot active HTTP cookie list find Find active HTTP cookie print Show active HTTP cookie list remove Remove active HTTP cookie get Get active HTTP cookie properties admin MikroTik ip hotspot cookie gt print USER MAC ADDRESS EXPIRES IN 0 ex 00 30 4F 13 BF EF 2d23h56m56s admin MikroTik ip hotspot cookie gt Cookies can be listed and removed They can not be changed or added manually HotSpot Step by Step User Guide Planning the Configuration First of all make sure you have MikroTik RouterOS 2 6 2 or higher with hotspot and dhcp packages installed Let us consider following example HotSpot setup de gute Authenticated HotSpot_GW weer 10 5 50 2 chet fp 10 56 5 prism 10 5 50 1 192 168 0 1 Internet Temporar 192 168 02 There will be 2 hotspot IP address ranges used for clients on prism1 interface You are free to choose the address ranges just make sure you use masquerading for not routed ones In our example we are using e temporary addresses which must be masqueraded network 192 168 0 0 24 gateway 192 168 0 1 MikroTik RouterOS V2 6 Reference Manual 242 HotSpot Gateway pool 192 168 0 2 192 168 0 254 e real addresses which require routing network 10 5 50 0 24 gateway 10 5 50 1 pool 10 5 50 2 10 5 50 254 Temporary addresses are given out by DHCP server configured within ip dhcp server but real addresse
427. n playback agc on record automatic gain control on record MikroTik RouterOS V2 6 Reference Manual 282 IP Telephony Voice Port for Voice over IP voip The voip voice ports are virtual ports which designate a voip channel to another host over the IP network You must have at least one voip voice port to be able to make calls to other H 323 devices over IP network admin MikroTik ip telephony voice port voip gt print detail Flags X disabled 0 name VoIP_GW autodial remote address 10 5 8 12 jitter buffer 50ms prefered codec none silence detection no fast start yes admin MikroTik ip telephony voice port voip gt Argument description name Name given by the user or the default one remote address IP address of the remote party IP telephone or gateway associated with this voice port If the call has to be performed through this voice port then the specified IP address is called If there is an incoming call from the specified IP address then the parameters of this voice port are used If there is an incoming call from an IP address which is not specified in any of the voip voice port records then the default record with the address 0 0 0 0 is used If there is no default record then default values are used autodial phone number which will be added in front of the telephone number received over the IP network In most cases it should be blank jitter buffer size of the jitter buffer 0 1
428. n the access list If such entry is found action specified in it is taken Otherwise default authentication and default forwarding of interface prismX is taken To add an access list entry use the add command for example admineMikroTik interface prism access list gt add mac address 00 40 96 37 A3 39 interface prisml admin MikroTik interface prism access list gt print Flags X disabled I invalid 0 mac address 00 40 96 37 A3 39 interface prisml authentication yes forwarding yes admin MikroTik interface prism access list gt Argument description mac address MAC address of the client interface AP interface authentication accept this client when it tries to connect or not forwarding forward the client s frames to other wireless clients or not If you have default authentication action for the interface set to yes you can disallow this node to register at the AP s interface prisml by setting authentication no for it Thus all nodes except this one will be able to register to the interface prism1 If you have default authentication action for the interface set to no you can allow this node to register at the AP s interface prism1 by setting authentication yes for it Thus only the specified nodes will be able to register to the interface prism1 Registering the Access Point to another Access Point You can configure the access point to registering to another root access point by specif
429. n this case admin MikroTik interface gt prism set 0 ssid mt ERROR item numbers not assigned Console is telling that there has been no interface prism print command and thus it cannot and also you know which PRISM interface number 0 corresponds to To understand better how do item numbers work you can play with from argument of print commands admin MikroTik interface gt print from 1 Flags X disabled D dynamic R running NAME TYPE MTU O R ether2 ether 1500 admin MikroTik interface gt The from argument specifies what items to show Numbers are assigned by every print command thus after executing command above there will be only one item accessible by number interface ether2 with number 0 Item Names Some lists have items that have specific names assigned to each Examples are interface or user levels There you can use item names instead of numbers admin MikroTik interface gt set prisml mtu 1460 You don t have to use the print command before accessing items by name As opposed to numbers names are not assigned by the console internally but are one of the items parameters Thus they won t change on their own However there are all kinds of obscure situations possible when several users are changing router configuration at the same time Generally item names are more stable than numbers and also more informative so you should prefer them to numbers when writing console scripts Qui
430. n this list The next is printed just after adding an OSPF network MikroTik RouterOS V2 6 Reference Manual 337 Open Shortest Path First OSPF Routing Protocol admin MikroTik routing ospf gt neighbor print router id 10 0 0 204 address 10 0 0 204 priority 1 state 2 Way state changes 0 ls retransmits 0 ls requests 0 db summaries 0 dr id 0 0 0 0 backup dr id 0 0 0 0 admin MikroTik routing ospf gt Description of the printout router id router id parameter of the OSPF neighbour address appropriate IP address of the OSPF neighbor priority priority of neighbor which is used in designated router elections on this network state state of connection Down the connection is down Attempt sending Hallo packet Init Hallo packet received from the neighbour 2 Way bidirectional communication established ExStart negotiating Exchange state Exchange exchanging with hole Link State DataBase Loading receiving information from the neighbour Full the neighboring routers are fully adjacent the link state databases are completely synchronized state changes number of state changes of the connection Is retransmits number of Link State retransmits Is requests number of Link State requests db summaries number of records in link state database advertised by the neighbour dr id router id of designated router for this neighbor backup dr id router
431. nal Resources Links for IPIP documentation http www ietf org rfc rfc1853 txt number 1853 http www ietf org rfc rfc2003 txt number 2003 http www ietf org rfc rfc1241 txt number 1241 Copyright 1999 2002 MikroTik MikroTik RouterOS V2 6 Reference Manual 120 ISDN Interface Document revision 29 Nov 2002 This document applies to MikroTik RouterOS V2 6 Overview The MikroTik router can act as an ISDN client for dialing out or as an ISDN server for accepting incoming calls The dial out connections may be set as dial on demand or as permanent connections simulating a leased line The remote IP address provided by the ISP can be used as the default gateway for the router MikroTik Router OS supports following ISDN adapters ISA ISDN adapters are not supported e Passive PCI adapters with Siemens chipset Eicon Diehl Diva Sedlbauer Speed ELSA Quickstep 1000 NETjet Teles Dr Neuhaus Niccy AVM Gazel HFC 2BDSO based adapters W6692 based adapters Topics covered in this manual e ISDN Hardware and Software Installation Loading the ISDN Driver ISDN Channels 4 MSN and EAZ numbers e ISDN Client Interface Configuration e ISDN Server Interface Configuration e Troubleshooting e ISDN Examples e ISDN Dial out e ISDN Dial in e ISDN Backup ISDN Backup Description 4 Setting up ISDN Connection 4 Setting up Static Routes Adding Scripts Setting up Netwatch ISDN Hardware and Softw
432. name Interface name mtu Maximum Transmit Unit 256 2296 bytes The default value is 1500 bytes mac address MAC address of the card Cannot be changed frequency Channel frequency 2412MHz 2422MHz 2484MHz data rate Data rate 11Mbit s 1Mbit s 2Mbit s 5 5Mbit s auto mode Operation mode of the card infrastructure ad hoc ssid Service Set Identifier client name Client name key1 Encryption key 1 key2 Encryption key 2 key3 Encryption key 3 key4 Encryption key 4 tx key Transmit key key1 key2 key3 key4 encryption Encryption no yes arp Address Resolution Protocol one of the disabled the interface will not use ARP protocol enabled the interface will use ARP protocol proxy arp the interface will be an ARP proxy see corresponding manual reply only the interface will only reply to the requests originated to its own IP addresses but neighbour MAC addresses will be gathered from ip arp statically set table only You can monitor the status of the wireless interface admin MikroTik interface wavelan gt moitor 0 bssid 44 44 44 44 44 44 frequency 2422MHz data rate 11Mbit s ssid tsunami signal quality 0 signal level 0 noise 0 MikroTik RouterOS V2 6 Reference Manual 204 WaveLAN ORIiNOCO 2 4GHz 11Mbps Wireless Interface fadmin MikroTik interface wavelan gt To set the wireless interface for work
433. nanananano nono nonononnn nono nononcn nono nono nonecccanonenonos 38 EXDTESSIOO SA e e aa e e dra ici 39 Valle ty DES A AA Aia 41 Colom command S a n ek BE ala a EAE BR RRO 43 Monitor COMAS cise eee Gis cade iaa rl ti Sods steeds taa addict 45 GEL COMMANS es sscare carvers cue A TEE E ete A AA Lee ibe gE 45 More OMS Md siii dig cia 46 SSH Installation And US APC lt ccsssscscicccssvccssesessessocsesnsdesessscssnsncssscesssacdsensovevesosneses se cssvend sesdesessesenesesevesbadevennccseess 47 A ee A EIN 47 Contents of the Mann al 5 css deeds seis aac oes Vd awison Sa oak Se ae AES ii 47 Trista lati Om NO 47 Hardware Resource USE is e A T EEE tado 47 Suggested Windows Client Setup 1 iccl cds cocinan tacna daban ia ici 48 Suggested UNIX Linux Client Setup innri ones ois i E aE a eoa E nE EE E E EENE Ei 48 Additional RESOULCES a a be E TAE 48 Links for Windows Clica eneee iiaee eE oE E E Ee EEEE EEE E E EEEE EREE 48 A ALEE AA IENE E AT 48 Software Package Installation and Upgrading sesssesssessecescecescesocesoosscocsoccscessosssecssecssecsocesocesoossosesseesoeesss 49 CDV ELVIS Wiss E A ve T E I AE E A ERA EA A A A EEEE AE 49 I LI LA AEE EAE E A AE E E E A AE ORE EE EEA A N EAN AA 49 Contents of the Mana too 49 Software Upgrade Instr cti ns eike en E notando e TEE T ENEEK E TEE ET 49 Software Package Installation Instructions cee ceeecceesseceneeceeeeeeseeeaeceeaaeneaeeceeeeeceeeeesaeeseaeceeaeeceeeees 50 Contents of th
434. nce Manual 175 Prismll Wireless Client and Wireless Access Point Manual System Resource Usage Before installing the wireless adapter please check the availability of free IRQ s and I O base addresses A system with installed PrismII card and Ricoh PCMCIA PCI adapter reports for example the following admin MikroTik gt system resource irq print Flags U unused IRQ OWNER 1 keyboard 2 APIC U 3 4 serial port U 5 U 6 U 7 U 8 9 etherl U 10 11 PCMCIA service 11 prism2_cs UT U 13 14 IDE 1 admin MikroTik gt system resource io print PORT RANGE OWNER 20 3F APIC 40 5F timer 60 6F keyboard 80 8F DMA AO BF APIC CO DF DMA FO FF FPU 100 13F prism2_cs 1F0 1F7 IDE 1 2F8 2FF serial port 3C0 3DF VGA 3F6 3F6 IDE 1 3F8 3FF serial port CF8 CFF PCT conf1 EFOO EFFE Realtek Semiconductor Co Ltd RTL 8139 EFOO EFFE 8139too FCOO FC7F Cyrix Corporation 5530 IDE Kahlua FCOO FCO7 IDE 1 FCO8 FCOF IDE 2 MikroTik gt Installing the Wireless Adapter The basic installation steps of the wireless adapter should be as follows 1 Check the system BIOS settings and make sure you have the PnP OS Installed set to Yes 2 Check the system BIOS settings for peripheral devices like Parallel or Serial communication ports Disable them if you plan to use IRQ s assigned to them by the BIOS Loading the Driver for the Wireless Adapter PCI and PC PCMCIA cards do n
435. nd and argument names You can type only beginning of command name and if it is not ambiguous console will accept it as a full name So typing admin MikroTik gt pi 10 1 c 3 s 100 equals to admin MikroTik gt ping 10 0 0 1 count 3 size 100 MikroTik RouterOS V2 6 Reference Manual 26 Terminal Console Manual Help The console has a built in help which can be accessed by typing General rule is that help shows what you can type in position where the was pressed similarly to pressing tab key twice but in verbose form and with explanations Internal Item numbers Items can also be addressed by their internal numbers These numbers are generated by console for scripting purposes and as the name implies are used internally Although you can see them if you print return values of some commands internal numbers look like hex number preceeded by for example 100A there s no reason for you to type them in manually Note As an implication of internal number format you should not use item names that begin with asterisk Multiple Items You can specify multiple items as targets of some commands Almost everywhere where you can write the number of items you can also write a list of numbers admin MikroTik gt interface print Flags X disabled D dynamic R running NAME TYPE MTU O R etherl ether 1500 1 R ether2 ether 1500 2 R ether3 ether 1500 3 R ether4 ether 1500 admin
436. nd level by grouping them with For example admin MikroTik ip address gt user add name x password y group write add name y password z group read Lae Print wee of lags X disabled 0 777 system default user name admin group full address 0 0 0 0 0 F i name x group write address 0 0 0 0 0 2 name y group read address 0 0 0 0 0 admineMikroTik ip address gt You should not change current command level in scripts by typing just it s path without any command like you when working with console interactively Such changes have no effect in scripts Consider admin MikroTik ip address gt user ip route wee print fcr Ot lags X disabled 0 777 System default user name admin group full address 0 0 0 0 0 BE 1 name x group write address 0 0 0 0 0 2 name y group read address 0 0 0 0 0 MikroTik RouterOS V2 6 Reference Manual 36 Scripting Manual admin MikroTik ip route gt Although the current command level is changed to ip route it has effect only on next command entered from prompt print command is still considered to be user print Variables Console allows to create and use global system wide and local only usable within one script variables Variables can be accessed by writing followed by name of variable Variable names can contain letters digits and character admin MikroTik ip route gt put Sa ERROR unknown
437. nd structure is similar to the Unix shell Since there s a lot of available commands they re split into hierarchy For example all well almost all commands that work with routes start with ip route admin MikroTik gt ip route print Flags X disabled I invalid D dynamic J rejected C connect S static R rip O ospf B bgp DST ADDRESS G GATEWAY DISTANCE INTERFACE 0 S 0 0 0 0 0 E 10203051 I ether6 r 192 168 1 254 ether4 1 DC 192 168 1 0 24 T 0 0 0 0 0 ether4 2 DC 10 10 10 0 24 r 00 030 0 prisml 3 DC 10 0 0 0 24 r 0 0 0 0 0 ether6 admin MikroTik gt ip route set 0 gateway 10 0 0 1 admin MikroTik gt ip route print Flags X disabled I invalid D dynamic J rejected C connect S static R rip O ospf B bgp DST ADDRESS G GATEWAY DISTANCE INTERFACE 0 S 0 0 0 0 0 r 10 0 0 1 1 ether6 1 DC 192 168 1 0 24 r 0 0 0 0 0 ether4 2 DC 10 10 10 0 24 E 00 00 0 prisml 3 DC 10 0 0 0 24 r 0 0 0 0 0 ether6 admineMikroTik gt Instead of typing ip route before each command ip route can be typed once to change into that particular branch of command hierarchy Thus the example above could also be executed like this admineMikroTik gt ip route admin MikroTik ip route gt print MikroTik RouterOS V2 6 Reference Manual 23 Terminal Console Manual Flags X disabled I invalid D dynamic J rejected C connect S static R
438. ned for the Software ID of your system The new key should be entered using the system license set key command and the router should be rebooted afterwards admineMikroTik system license gt print software id TPNG SX key 2C6A YUE 3H2 MikroTik RouterOS V2 6 Reference Manual 53 Software Package Installation and Upgrading upgradable to dec 01 2002 admin MikroTik system license gt feature print Flags X disabled FEATURE O X AP 1 X synchronous 2 X radiolan 3 X wireless 2 4gHz 4 licensed admin MikroTik system license gt set key D45G IJ6 QM3 admin MikroTik system license gt system reboot Reboot yes y Nl y system will reboot shortly If there is no appropriate license the appropriate interfaces wont show up under the interface list even though the packages can be installed on the MikroTik RouterOS and corresponding drivers loaded Software Package Resource Usage The following table shows the required resources of HDD storage and RAM for the various software packages The total required storage space can be calculated by adding the together the required storage of all installed packages including the system software package Note that there are only minimal requirements needed to run the software Additional resource usage is expected from many packages when they are configured and running especially from web proxy system and dns cache dc rd a nc ESO usage pdvanced
439. net over IP tunnel interfaces EoIP e driver management for Ethernet ISA cards e serial port management e local user management e export and import of router configuration scripts e backup and restore of the router s configuration e undo and redo of configuration changes e network diagnostics tools ping traceroute bandwidth tester traffic monitor MikroTik RouterOS V2 6 Reference Manual 51 Software Package Installation and Upgrading e bridge configuration e system resource management e package management e telnet client and server e local and remote logging facility It also includes winbox server as well as winbox executable with some plugins After installing the MikroTik RouterOS a license should be obtained from MikroTik to enable the basic system functionality Additional Software Feature Packages The table below shows additional software feature packages the provided functionality the required prerequisites and additional licenses if any License Provides network monitor and advanced tools support for other advanced tools Provides support for CISCO aironet Aironet IEEE 802 11b wireless PC PCI ISA cards Provides support for Atheros chipset based IEEE 802 11a wireless cards as clients or as access points Provides BGP support Provides support for PC300 E synchronous synchronous interfaces Provides dynamic DNS support bo o dhe Provides DHCP server and client P support DNS cache
440. nfiguration To set the wireless interface working as an IEEE 802 11a access point to register clients you should set the following parameters e The Service Set Identifier It should be unique for your system e The Operation Mode of the card should be set to ap bridge or bridge e The Frequency of the card All other parameters can be left as default However you should make sure that all clients support the basic rate of your access point i e the supported rates of the client should cover the basic rates of the access point To configure the wireless interface for working as an access point with ssid testing and use the frequency 5240MHz it is enough to enter the command admin MikroTik interface atheros gt set atherosl mode ap bridge frequency 5240MHz ssid testing admin MikroTik_AP interface atheros gt print Flags X disabled R running O R name atheros1 mtu 1500 mac address 00 06 AB 00 37 88 arp enabled mode ap bridge root ap 00 00 00 00 00 00 frequency 5240MHz ssid testing supported rates 6Mbps 9Mbps 12Mbps 18Mbps 24Mbps 36Mbps 48Mbps 54Mbps basic rates 6Mbps protocol 802 11 standard ack time 100 default authentication yes default forwarding yes max clients 2007 admin MikroTik_AP interface atheros gt Use the registration table to see the associated clients Registration Table The registration table shows all clients currently associated with the access point for exa
441. nformation Frame Relay uses the synchronous HDLC frame format Topics covered in this manual e Frame Relay Installation on the MikroTik RouterOS e Configuring Frame Relay Interface Cyclades PC300 interface e MOXA C101 interface Frame Relay PVC interface e Frame Relay Configuration Example with Cyclades Interface e Frame Relay Configuration Example with MOXA Interface e Frame Relay Troubleshooting Frame Relay Installation on the MikroTik RouterOS e Hardware part of Frame Relay installation To use Frame Relay interface you must have already working synchronous interface You can read how to set up synchronous boards supported by Mikrotik RouterOS Cyclades PC300 PCI Adapters Moxa C101 Synchronous interface e Software part of Frame Relay installation The framerelay 2 6 x npk 89 KB package is required The package can be downloaded from MikroTik s web page www mikrotik com To install this package please upload it to the router with ftp and reboot You may check to see if the package is installed with the command admin MikroTik gt system package print Flags I invalid NAME VERSION BUILD TIME UNINSTALL 0 system 2 6betal aug 09 2002 20 22 14 no l1 ppp 2 6betal aug 09 2002 20 28 01 no 2 pppoe 2 6betal aug 09 2002 20 29 18 no 3 pptp 2 6betal aug 09 2002 20 28 43 no 4 ssh 2 6betal aug 09 2002 20 25 31 no 5 advanced tools 2 6betal aug 09 2002 20 53 37 no 6 farsync 2 6betal aug 09 2002 20 51 48
442. ng even with no cache when you want to use it as something like HTTP and FTP firewall for example denying access to mp3 files or to redirect requests to external proxy transparently MikroTik Web Proxy Description The web proxy can be used as transparent and normal web proxy at the same time In transparent mode it is possible to use it as standard web proxy too However in this case proxy users may have trouble to reach web pages which are accessed transparently When setting up Web proxy make sure it serves only your clients and is not misused as relay Please read the security notice in the Access List Section MikroTik Web Proxy Setup The Web Proxy management can be accessed under the ip web proxy submenu admin MikroTik gt ip web proxy HTTP proxy clear cach Clear http cache access Access list cache Cache access list direct Direct access list monitor onitor proxy status and usage print Print current configuration and status get Get value of configuration property set Change proxy configuration export Export web proxy settings admin MikroTik gt ip web proxy Web proxy will automatically detect any problems with cache and will try to solve them without loosing any cache data But in case of a heavy damage to the file system the web proxy can t rebuild cache data Cache can be deleted and new cache directories created by the command ip web proxy clear cache Monitoring the Web Proxy Use the command ip web
443. nging Tone2 ringmid bin Ringing Tone3 ringhi bin usr config 2 Check if you have the codecs arranged in the desired order usr config voice print Voice codec setting relate information Sending packet size Gy 12371 711A s TETU 729A 2129 Priority order codec MAQA 30 ms 20 ms 20 ms 20 ms 20 ms g7231 g7lla g711u g729a g729 Volume levels voice volume input gain dtmf volume Silence suppression amp CNG G 723 1 Echo canceller JitterBuffer Min Delay JitterBuffer Max Delay usr config 54 26 23 off On 90 150 3 Make sure you have set the H 323 operation mode to phone to phone P2P not gatekeeper GK usr config h323 print H 323 stack relate information RAS mode Registered e164 Registered H323 ID RTP port H 245 port Allocated port range start port end port Response timeOut Connect timeOut usr config Non GK mode 31 Robert 16384 16640 1024 65535 5 5000 4 Add the gateway s address to the phonebook usr config pbook add name gw ip 10 1 1 12 usr config This may take a few seconds please wait MikroTik RouterOS V2 6 Reference Manual 295 IP Telephony Commit to flash memory ok usr config pbook print index Name IP E164 1 gw LOLA Te 12 usr configs Making calls from the IP telephone 10 5 8 2 e Just lift the handset and dial 11 or 13 fo the PBX extensions e Dial 33 for Joe The call request will be sent
444. nits d day days unit is 24 hours h hour hours unit is 1 hour m unit is 1 minute s unit is 1 second ms unit is 1 millisecond 0 001 second MikroTik RouterOS V2 6 Reference Manual 42 Scripting Manual Colon commands Console has many built in commands that start with prefix They don t change configuration directly but are most useful for writing scripts You can see list of all such commands by pressing after typing just the prefix fadmin MikroTik gt local global unset set put while if do time incr decr for foreach delay environment log introduces local variable introduces global variable forgets variable creates or changes variable value prints argument on the screen executes command while condition is true executes command if condition is true executes command times command increments variable decrements variable executes command for a range of integer values executes command for every element in a list does nothing for a while default 1 second fadmin MikroTik gt local global unset set incr and decr commands are explained in the section about variables Here all the other commands will be explained e put takes only one unnamed argument It is displayed on screen Cannot be used in scripts because scripts don t have anywhere to display values on to e if This is a conditional or branching command It has one unnamed a
445. nnel Protocol PPTP ssscccssssscscsssccsssssccessscccecssccscssscecessscececssscesessccesecsscecessseecess 164 OVA E E EA EET 164 Contents of the Mantal vico drid ad A A A EA E REO a ESE 164 A A NT 164 Hardwar Resource Usage nip rr aea E illa e e sesh S EE EEE E A EE RAE E sats 164 PPTP Protocol Description i ien iee ea EE E ENA E E EE E E E a e aan 165 PPTP Client SGtup rats aisr eirin oer A E e E a a a ae a eausa 165 PPTP Server Setup ot a inal E Ae en 166 PPTP Router to Router Secure Tunnel Example eececccecesceesecessseceeeeceeeeecseeesaeceeaeceaeeceeeeeeeas 168 Connecting a Remote Client via PPTP Tunnel cee eeccececcecsseceeneceesceceececeeeeeceaeeeaeceeaaeceaeeceeneeesas 171 PETE Sep Tor WINGOWS ees taa OAs da Aa tati aa adas 172 Y E EE AA N A A AAI A E RAT 172 Sample instructions for PPTP VPN installation and client setup Windows 988 172 Troubleshooting nnii A E E Sota east 173 Additional RESOUECES keia arinaa e a anea a eaa aE a EEE a AEE E EE E EEE T EEE A OEE EAR 173 MikroTik RouterOS V2 6 Reference Manual vii MikroTik RouterOS V2 6 Reference Manual Table of Contents PrismII Wireless Client and Wireless Access Point Manuaall ccssscssssssscsssssscssssscccessscccsssscceesssscecess 174 AA TA 174 Contents of thie MANUA e ee ES ass ag e aa sce cba v age a aca ee ha 174 Supported Network R leS keam asked tesla eens te a A ER A EE heaves 175 Wireless CUNA RA A
446. nning NAME TYPE MTU O R etherl ether 1500 1 R ether2 ether 1500 2 R ether3 ether 1500 3 R ether4 ether 1500 4 R ether5 ether 1500 5 R syncl sync 1500 6 R pel pc 1500 7 R ether6 ether 1500 8 R prisml prism 1500 admineMikroTik interface gt The device drivers for NE2000 compatible ISA cards need to be loaded using the add command under the drivers menu For example to load the driver for a card with IO address 0x280 and IRQ 5 it is enough to issue the command admineMikroTik driver gt add name ne2k isa io 0x280 admineMikroTik driver gt print Flags I invalid D dynamic DRIVER IRQ IO MEMORY ISDN PROTOCOL O D RealTek 8139 1 D Intel EtherExpressPro 2 D PCI NE2000 3 ISA NE2000 280 4 Moxa C101 Synchronous C8000 fadmin MikroTik driver gt The interfaces need to be enabled if you want to use them for communications Use the interface enable name command to enable the interface with a given name for example admin MikroTik interface gt print Flags X disabled D dynamic R running NAME TYPE MTU 0 X etherl ether 1500 0 X ether2 ether 1500 fadmin MikroTik interface gt enable 0 fadmin MikroTik interface gt enabl ther2 admin MikroTik interface gt print Flags X disabled D dynamic R running NAME MTU TYPE O R etherl ether 1500 O R ether2 ether 1500 admineMikroTik interface gt You can use the number or the name of the interface in the
447. no ip mroute cache speed auto half duplex ip classless ip route 0 0 0 0 0 0 0 0 10 0 0 1 no ip http server dialer list 1 protocol ip permit dialer list 1 protocol ipx permit j voice port 0 0 voice port 0 1 voice port 2 0 voice port 2 1 dial peer voice 1 pots destination pattern 101 port 0 0 dial peer voice 97 voip destination pattern 097 session target ipv4 10 0 0 97 codec g7llulaw dial peer voice 98 voip destination pattern 098 voice class codec 1 session target ipv4 10 0 0 98 p line con 0 transport input none line aux 0 line vty 0 4 password 123 login y end Copyright 1999 2002 MikroTik MikroTik RouterOS V2 6 Reference Manual 298 IP Traffic Accounting Document revision 22 Nov 2002 This document applies to the MikroTik RouterOS v2 6 Overview The IP Traffic Accounting feature enables administrators to keep an accurate record of traffic passed through the router even through the bridged interfaces between IP level hosts ISPs or network administrators can use this for traffic based billing or detailed monitoring of network activity This feature generates simple traffic data Additional utilities are required for useful analysis and calculation of the traffic data Information on utilities and examples of scripts for collecting data are provided in this manual The MikroTik RouterOS supports e Cisco IP pairs and snapshot image traffic data output style e Collection of
448. nonoconinononos 377 ARS N A E E a Ee cm PE Ne RR cS PREP NETA 377 N E Ver e tee do 378 TIMEZONE 2 a A 378 Serial Console A ESED INEKE EEIN K EENAA NEN ERNEA K ARVEN 380 DDA A AARE E EEEIEE TE DEE E ISEN 380 Contents ofthe Man al a a n a aa aaa a Seabee eek ae a e hee ee os 380 MikroTik RouterOS V2 6 Reference Manual XV MikroTik RouterOS V2 6 Reference Manual Table of Contents Serial Console ista ao A A ahs ede ae ends eae oa TO eat ee na ea 380 Hardware Resource Usage oir aaa aki each eee 380 Serial Console Configuration cti iia LOA a aE dean 380 PrOuBDlESHOOUINE 25 NR 381 Serial Lermako cna EAA AOA cdessuccceteeecesseenee 383 DAL AA LEA AA E A NN 383 Contents of the Mantal siesena aean ees aen E aE ELE E EE EEEE Ee EEE EEE AEGEE ESEAS 383 AA C0 0 Ree RR Bt Re PR EES 383 Hardware Resource Usage cidos seins acta cent ies Sede an aaa ees 383 Serial Terminal Description cdi di Adi Hee 383 Serial Terminal Usas esrara r e ev aE evades A Bhan ais Se eee w ees E e bees cee 383 Serial Terminal sEXamples cid A eee conn tac 384 Support Output File 005 O ieo ork soos sso o sesties Sees Toss ieS roos iSo esses ono Ssas o ess pesus Est 385 Installation ss 63g iivessaiecsesnsacssssiacdevasaactarabacsdscanceabiaacsoecacdbos angeles EE EEE E 385 Hardware R s urce Usage inhoa iee ao e a oa eTa E Aa N ERE RE E A EA a 385 Support File Descriptions NE DEENA CaA aSa Ee 385 Example of Making Support Output File cee eccceesee
449. nse System Resource Usage Loading the Driver e Ethernet Interface Configuration Ethernet Adapter Hardware and Software Installation Software Packages The drivers for Ethernet NICs are included in the system package No installation of other packages is needed Software License The license for Ethernet NICs is included in the Basic License No additional license is needed System Resource Usage Before installing the Ethernet adapter please check the availability of free IRQ s and VO base addresses admin MikroTik gt system resource irq print Flags U unused IRQ OWNER 1 yes keyboard yes APIC no yes serial port yes PCMCIA service no no no G ONAN BWHD MikroTik RouterOS V2 6 Reference Manual 100 Ethernet Interfaces U 9 no 10 yes e1000 11 yes ether3 12 yes etherl 13 yes FPU 14 yes IDE 1 admin MikroTik gt system resource io print PORT RANGE OWNER 20 3F APIC 40 5F timer 60 6F keyboard 80 8F DMA AO BF APIC CO DF DMA FO FF FPU 1F0 1F7 IDE 1 2F8 2FF serial port 3C0 3DF VGA 3F6 3F6 IDE 1 3F8 3FF serial port 9400 94FF etherl FO00 F007 IDE 1 FOO8 FOOF IDE 2 fadmin MikroTik gt Loading the Driver PCI PCMCIA and CardBus adapters do not require a manual driver loading since they are recognized automatically by the system and the driver is loaded at the system startup ISA adapters require the driver to be loaded by issuing the following command admineMikro
450. nsole gt port print 0 name serial0 used by LCP Panel baud rate 9600 data bits 8 parity none stop bits 1 flow control none 1 name seriall used by baud rate 9600 data bits 8 parity none stop bits 1 flow control none The Serial Console port must be set to seriall since the serial0 port is already used by another device admin MikroTik system serial console gt set port seriall enable yes admin MikroTik system serial console gt print enabled yes port seriall admin MikroTik system serial console gt e The port parameter settings for baud rate stop bits etc do not match the settings of your terminal Adjust the port settings of your Terminal program to the settings of MikroTik router see port print detail MikroTik RouterOS V2 6 Reference Manual 381 Serial Console O Copyright 1999 2002 MikroTik MikroTik RouterOS V2 6 Reference Manual 382 Serial Terminal Document revision 16 Sep 2002 This document applies to the MikroTik RouterOS v2 6 Overview The system serial terminal command is used to communicate with devices and other systems that are connected to router via serial port The serial terminal may be used to monitor and configure many devices including modems network devices and any device that can be connected to a serial terminal Contents of the Manual The following topics are covered in this manual e Installation e Hardware Resource Usage e Serial Terminal Desc
451. nt state of the port on hook the handset is on hook no activity MikroTik RouterOS V2 6 Reference Manual 279 IP Telephony off hook the handset is off hook the number is being dialed ring call in progress direction of the call is shown by the argument direction connection the connection has been established busy the connection has been terminated the handset is still off hook port only for linejack the active port of the card phone telephone connected to the card POTS line line connected to the linejack card PSTN direction direction of the call ip to port call from the IP network to the voice card 4 port to ip call from the voice card to an IP address line status only for linejack and zaptel state of the PSTN line plugged the telephone line is connected to the PSTN port of the card unplugged there is no working line connected to the PSTN port of the card phone number the number which is being dialed remote party name name and IP address of the remote party codec CODEC used for the audio connection duration duration of the audio call Voice Port Statistics Voice port statistics are available for all local voice ports only VoIP voice ports do not provide this ability Use the show stats command under the corresponding menu to view the statistics of current audio connection For example admin MikroTik ip teleph
452. ntally removed some item or set wrong argument value just execute the fundo command to undo previously done action The redo would do the opposite redo the previous undo action Copyright 1999 2002 MikroTik MikroTik RouterOS V2 6 Reference Manual 389 System Scheduler Manual Document revision 19 Nov 2002 This document applies to the MikroTik RouterOS V2 6 Overview The scheduler is used to execute scripts at certain times It has an ordered list of tasks For details on scripting consult respective manual Contents of the Manual The following topics are covered in this manual e Installation e Hardware Resource Usage e Using System Scheduler e System Scheduler Examples Installation The System Scheduler features are included in the system package No installation is needed for this feature Hardware Resource Usage Hardware resource usage depends on the script that is run using the System Scheduler feature Using System Scheduler To add a task use the add command For example we add a task that executes the script log test every hour admin MikroTik system script gt add name log test source log admin MikroTik system script gt print 0 name log test source log owner admin run count 0 admin MikroTi system script gt scheduler admin MikroTi system scheduler gt print Flags X disabled NAME SCRIPT START DATE START TIME INTERVAL 0 run 1h log test oct 30 200
453. nu yes no default is no Traceroute Example admin MikroTik tool gt traceroute 216 239 39 101 size 64 timeout 4s tos 0 protocol icmp ADDRESS STATUS 1 159 148 60 227 3ms 3ms 3ms 2 195 13 113 221 80ms 169ms 14ms 3 195 13 173 28 6ms 4ms 4ms 4 195 158 240 21 111ms 110ms 110ms LLISTA ALAS 124ms 120ms 129ms 6 213 174 71 134 139ms 146ms 135ms 7 213 174 70 245 132ms 131ms 136ms 8 213 174 70 58 211ms 215ms 215ms 9 195 158 229 130 225ms 239ms Os 10 216 32 223 114 283ms 269ms 281ms Ti 2164 32 132 1 4 267ms 260ms 266ms 12 209 185 9 102 296ms 296ms 290ms 13 216 109 66 1 288ms 297ms 294ms 14 216 109 66 90 297ms 317ms 319ms 15 216 239 47 66 137ms 136ms 134ms 16 216 239 47 46 135ms 134ms 134ms 7 206 239 39 101 134ms 134ms 135ms fadmin MikroTik tool gt Copyright 1999 2002 MikroTik MikroTik RouterOS V2 6 Reference Manual 413 Traffic Monitor Document revision 6 Sep 2002 This document applies to MikroTik RouterOS v2 6 Overview The traffic monitor tool is used to execute console scripts on when interface traffic crosses some given thresholds For details on scripting consult respective manual Contents of the Manual The following topics are covered in this manual e Installation e Hardware Resource Usage e Traffic Monitor Description e Traffic Monitor Examples Installation Traffic monitor feature is included in the system package No installation is needed for this feature Hardware
454. nual 375 Log Management time aug 12 2002 16 42 57 message user admin logged out from 10 0 0 250 via ftp O Copyright 1999 2002 MikroTik MikroTik RouterOS V2 6 Reference Manual 376 Network Time Protocol NTP Document revision 19 Nov 2002 This document applies to the MikroTik RouterOS V2 6 Overview NTP protocol allows synchronizing time among computers in network The best is if there is internet connection available and local NTP server is synchronized to correct time source List of public NTP servers is available http www eecis udel edu mills ntp servers htm Contents of the Manual The following topics are covered in this manual e NIP Installation on the MikroTik RouterOS e NTP Client e NTP Server e TIMEZONE NTP Installation on the MikroTik RouterOS The ntp 2 6 x npk package ir required The package can be downloaded from MikroTik s web page www mikrotik com To install the package please upload it to the router via ftp and reboot You may check to see if the packages are installed with the system package print command NTP Client The NTP Client setup is under system ntp client admin MikroTik gt system ntp client print enabled no mode unicast primary ntp 0 0 0 0 secondary ntp 0 0 0 0 status stopped admin MikroTik gt NTP client synchronizes local clock with some other time source NTP server There are 4 modes in which NTP client can operate e In unicast Client Serve
455. nual 284 IP Telephony Let us add a few more records admin MikroTik ip telephony numbers gt print Flags I invalid X disabled DST PATTERN VOICE PORT PREFIX 6 Fee MM 33 p LT NN ELL admin MikroTik ip telephony numbers gt If nr 335 gt incomplete record 6 gt the call is rejected Explanation of this case The nr 335 fits perfectly both the record 3 and 5 The 5 is chosen as the best match candidate at the moment Furthermore there is record 6 which has two matching digits more than for 3 or 5 Therefore the 6 is chosen as the best match However the record 6 requires five digits but the nr has only three Two digits are missing therefore the number is incomplete Two additional digits would be needed to be entered on the dialpad If the number is sent over from the network it is rejected If nr 325 gt matches the record 5 gt nc 55325 vp LL If nr 33123 gt matches the record 6 gt nc 33123 vp MM If nr 123 gt incomplete record 0 gt call is rejected If nr 111 gt incomplete record 1 gt call is rejected If nr 112 gt matches the record 7 gt nc 77112 vp NN If nr 121 gt matches the record 3 gt nc 55121 vp QQ It is impossible to add the following records admin MikroTik ip telephony numbers gt print Flags I invalid X disabled DST PATTERN VOICE PORT as reason 11 DD conflict with record 1 and 7 Dl DD con
456. o port serial0 admin MikroTik system serial console gt MikroTik RouterOS V2 6 Reference Manual 380 Serial Console To enable Serial Console admin MikroTik system serial console gt set enabled yes admin MikroTik system serial console gt print enabled yes port serial0 admin MikroTik system serial console gt To change port Vv admin MikroTik system serial consol set port seriall admin MikroTik system serial console gt print enabled yes port seriall admin MikroTik system serial console gt To check if the port is available or used admin MikroTik system serial console gt port print detail O name serial0 used by baud rate 9600 data bits 8 parity none stop bits 1 flow control none 1 name seriall used by Serial Console baud rate 9600 data bits 8 parity none stop bits 1 flow control none admin MikroTik system serial console gt Troubleshooting e An error appears when trying to enable the Serial Console This situation can occur when the Serial console is set on the port which is already been used by another device such as a ppp server ppp client LCD etc e g admin MikroTik system serial console gt print enabled no port serial0 admin MikroTik system serial console gt set enabled yes ERROR can t acquire requested port Check the available ports using the port print detail command admin MikroTik system serial co
457. o alphanumeric characters In our case we use ssid ba72 2 Setting the distance parameter in our case we have 6km link The IP addresses assigned to the wireless interface of Router 1 should be from the network 10 1 0 0 30 e g admin MikroTik ip address gt add address 10 1 0 1 30 interface radiolanl admin MikroTik ip address gt print Flags X disabled I invalid D dynamic ADDRESS NETWORK BROADCAST INTERFACE 0 10 1 1 12 24 LOSE 0 LOST ih 255 etherl 1 10 1 0 1 30 1021 00 101 033 radiolanl admin MikroTik ip address gt The default route should be set to the gateway router 10 1 1 254 A static route should be added for the network 192 168 0 0 24 admin MikroTik ip route gt add gateway 10 1 1 254 comment copy from disabled distanc dst address netmask preferred sourc admin MikroTik ip route gt add gateway 10 1 1 254 preferred source 10 1 0 1 admin MikroTik ip route gt add dst address 192 168 0 0 24 gateway 10 1 0 2 preferred source 10 1 0 1 admin MikroTik ip route gt print Flags X disabled I invalid D dynamic J rejected C connect S static R rip O ospf B bgp DST ADDRESS G GATEWAY DISTANCE INTERFACE 0 S 0 0 0 0 0 u 10 1 1 254 1 radiolanl 1 Ss 192 168 0 0 24 ELO DN O P T radiolanl 2 DC 10 1 0 0 30 03000 0 radiolanl 3 DC 10 1 1 0 24 r 0 0 0 0 0 etherl admin MikroTik ip route gt The Router 2 should have addre
458. o limit 10 red limit 60 red min threshold 10 red max threshold 50 red burst 20 sfq perturb 5 sfq allot 1514 3 name synchronous default kind red bfifo limit 15000 pfifo limit 10 red limit 60 red min threshold 10 red max threshold 50 red burst 20 sfq perturb 5 sfq allot 1514 4 name CUSTOMER def kind red bfifo limit 15000 pfifo limit 10 red limit 60 red min threshold 0 red max threshold 50 red burst 0 sfq perturb 5 sfq allot 1514 admin MikroTik queue type gt Argument description name name for the queue type kind kind of the queuing algorithm used pfifo Packets First In First Out bfifo Bytes First In First Out red Random Early Detection sfq Stochastic Fair Queuing none same as default The queue type as it is by default for the specific interface bfifo limit BFIFO queue limit Maximum packet number that queue can hold pfifo limit PFIFO queue limit Maximum byte number that queue can hold red limit RED queue limit red min threshold RED minimum threshold red max threshold RED maximum threshold red burst RED burst sfq perturb amount of data in bytes that can be sent in one round robin round sfq allot how often to change hash function For small limitations 64kbps 128kbps RED is more preferable For larger speeds PFIFO will be as good as RED RED consumes much more memory and CPU than PFIFO amp
459. o pass the request to the parent proxy or to resolve it connecting to the requested server directly Direct Access List is managed just like Proxy Access List described in the previous chapter except the action argument Description of the action argument values e allow always resolve matching requests directly not through parent proxy e deny resolve matching requests through parent proxy if there is one If there in no parent proxy action will be the same as with allow Default action 1f no rules specified or request did not match any is deny Managing the Cache Cache access list specifies which requests domains servers pages have to be cached locally by web proxy and which not The Web Proxy cache access list is located under the ip web proxy cache submenu Access list is implemented exactly the same way as web proxy access list Default action is to cache object if no matching rule is found By default one cache access rule is already added admin MikroTik ip web proxy cache gt print Flags X disabled SRC ADDRESS DST ADDRESS DST PORT URL ACTION 0 0 0 0 0 0 0 0 0 0 0 0 65535 cgi bin deny admin MikroTik ip web proxy cache gt This rule defines that all runtime generated pages which are located within cgi bin directories or contain in url has not to be cached Note Objects which are larger than max object size are not cached Transparent Mode To enable the transparent mode
460. o the MikroTik RouterOS V2 6 Overview The MikroTik RouterOS supports the following LCD hardware e Crystalfontz http www crystalfontz com Intelligent Serial LCD Module 632 16x2 characters and 634 20x4 characters e Powertip http www powertip com tw Character LCD Modules Contents of the Manual The following topics are covered in this manual e Installation How to Connect PowerTip LCD to a Parallel Port e Hardware Resource Usage e Configuring the LCD s Settings LCD Information Display Configuration e LCD Troubleshooting Installation The MikroTik Router should have the LCD software package installed The software package file led 2 6 x npk can be downloaded from MikroTik s web page www mikrotik com To install the package please upload the correct version file to the router and reboot Use BINARY mode ftp transfer After successful installation the package should be listed under the installed software packages list How to Connect PowerTip LCD to a Parallel Port Data signals are connected that way Enable Strobe 6 Dao fr Datal fo o Daa P Datas fio 7 Daas f2 Dawe f3 Daar fa po MIO Bl MikroTik RouterOS V2 6 Reference Manual 368 Liquid Crystal Display LCD Manual Powering LCD pins 2 15 5 R2 10KOhm LCD pin 3 R3 100 Ohm 5 LCD pin 17 As there are only 16 pins for the PC1602 modules you need not connect power to the 17th pin GND and 5V can
461. oTik MikroTik RouterOS V2 6 Reference Manual 48 Software Package Installation and Upgrading Document revision 29 Nov 2002 This document applies to the MikroTik RouterOS V2 6 Overview The MikroTik RouterOS is residing on a formatted HDD specific to your installation and containing software packages The main package is the system software package which provides the basic functionality of the router Additional software packages provide support for additional features e g PPPoE PPTP PPP wireless etc Features The modular software package system of MikroTik RouterOS has following features e Ability to add RouterOS functions by installing additional software packages e Optimal usage of the storage space by the modular compressed system e The software packages can be uninstalled e The RouterOS functions and software can be easily upgraded e Multiple packages can be installed at once e The package dependency is checked before installing a software package The package will not be installed if the required software package is missing e The version of the software package should be the same as that of the system package e The packages can be uploaded on the router using ftp and installed only when the router is going for shutdown during the reboot process e If the software package file can be uploaded to the router then the disk space is sufficient for installation of the package Contents of the Manual The fo
462. oTik ip ipsec policy gt add sa src address 10 0 0 205 sa dst address 10 0 0 201 action encrypt admin MikroTik ip ipsec policy gt print Flags X disabled I invalid 0 src address 10 0 0 205 32 any dst address 10 0 0 201 32 any protocol all action encrypt level require ipsec protocols esp tunnel no sa src address 10 0 0 205 sa dst address 10 0 0 201 proposal default manual sa none dont fragment clear admin MikroTik ip ipsec policy gt Argument description src address Source IP address Can be in the form address mask ports dst address Destination IP address Can be in the form address mask ports protocol name or number of protocol action What to do with packet that matches policy Choices are 4 accept pass the packet This is default action when no policies are configured drop drop the packet 4 encrypt apply transormations specified by this policy and it s security associations dont fragment default value works OK It is good to have dont fragment cleared because encrypted packets are always bigger than original and thus they may need fragmentation tunnel yes if you want to use tunnel mode In tunnel mode all packets are IPIP encapsulated and their new IP header src and dst are set to sa sre and sa dst values of this policy If you don t use tunnel mode i e you use transport mode then only packets whose source and destination is the same as sa src and sa
463. oTik system lcd page gt LCD Troubleshooting 1 LCD does not work cannot be enabled by the system Icd set enabled yes command Probably the selected serial port is used by PPP client or server or by the serial console Check the availability and use of the ports by examining the output of the port print command Alternatively select another port for connecting the LCD or free up the desired port by disabling the related resource 2 LCD does not work does not show any information Probably none of the information display items have been enabled Use the system lcd page set command to enable the display O Copyright 1999 2002 MikroTik MikroTik RouterOS V2 6 Reference Manual 371 License Management Document revision 9 Aug 2002 This document applies to the MikroTik RouterOS v2 6 Overview MikroTik RouterOS software has a licensing system where Software License Software Key is issued for each individual installation of the RouterOS The Software License can be obtained through the Account Server at www mikrotik com after the MikroTik RouterOS has been installed The Software ID of the installation is required when obtaining the Software License Please read the MikroTik RouterOS Basic Setup Guide for detailed explanation of the installation and licensing process Contents of the Manual The following topics are covered in this manual e Managing the License e Obtaining Additional License Features Manag
464. oTik RouterOS V2 6 Reference Manual 33 Scripting Manual HOST TIMEOUT INTERVAL STATUS 0 1 0 0 0 217 997ms 10s up MikroTik tool netwatch gt print detail Flags X disabled 0 host 10 0 0 217 timeout 997ms interval 10s since mar 22 2002 11 21 03 status up up script gw_2 down script gw_1 MikroTik tool netwatch gt Argument description host IP address of host that should be monitored interval Time between pings Lowering this will make state changes more responsive but can create unnecessary traffic and consume system resources timeout Timeout for each ping If no reply from host is received in this time host is considered unreachable down up script Console script that is executed once when state of host changes from unknown or down to up down script Console script that is executed once when state of host changes from unknown or up to down since Time when state of host changed last time status tells the current status of the host up down unknown State of host changes to unknown when any properties of this list entry are changed or 1t is enabled or disabled Also any entry that is added has state unknown initially Hint Scripts are not printed by default to see them type print detail Without scripts netwatch can be used just as an information tool to see which links are up or which specific hosts are running at the moment Let s look at the example above it chang
465. ock gt set adminMikroTik system clock gt set date mar 26 2002 time 14 41 00 time zone 02 00 admin MikroTik system clock gt print time mar 26 2002 16 41 12 time zone 02 00 admin MikroTik system clock gt Date and time settings become permanent and effect BIOS settings Configuration Change History The history of system configuration changes is held until the next router shutdown The invoked commands can be undone using the undo command By invoking the command several times the configuration changes can be undone in reverse order they have been invoked Use the system history print command to see the list of performed actions admin MikroTik system history gt print Flags U undoable R redoabl ACTION BY POLICY U new traffic monitor script added U DNS server configuration changed U device changed U marking rule moved admin U route changed U route added U routing table added U ipsec manual sa exl added admin MikroTik system history gt The list is printed with the newest actions at the top MikroTik system history gt undo admin MikroTik system history gt print Flags U undoable R redoabl ACTION BY POLICY R new traffic monitor script added U DNS server configuration changed U device changed U marking rule moved admin U route changed U U U a route added routing table added ipsec manual sa exl added dmin MikroTik system history gt Tip If you accide
466. ome knowledge of configuring TCP IP networks There is a comprehensive list of IP resources compiled by Uri Raz at_http www private org il tcpip_rl html We strongly recommend that you obtain more knowledge if you have difficulties configuring your network setups Next will be discussed situation with hiding the private LAN 192 168 0 0 24 behind one address 10 0 0 217 given to you by the ISP MikroTik RouterOS V2 6 Reference Manual 19 Application Examples Application Example with Masquerading If you want to hide the private LAN 192 168 0 0 24 behind one address 10 0 0 217 given to you by the ISP you should use the source network address translation masquerading feature of the MikroTik router Masquerading is useful if you want to access the ISP s network and the Internet appearing as all requests coming from the host 10 0 0 217 of the ISP s network The masquerading will change the source IP address and port of the packets originated from the network 192 168 0 0 24 to the address 10 0 0 217 of the router when the packet is routed through it Masquerading conserves the number of global IP addresses required and it lets the whole network use a single IP address in its communication with the world To use masquerading a source NAT rule with action masquerade should be added to the firewall configuration admin MikroTik ip firewall src nat gt add action masquerade out interface Public admin MikroTik ip firewall src n
467. omer s local addresses whereas the rule for outgoing traffic should match the router s external address as the source address The previous example would work fine but you cannot exclude the server from being limited To apply specific queuing for the server use ip firewall mangle to mark the packets originated from the server admin MikroTik ip firewall mangle gt add src address 192 168 0 17 32 action passthrough mark flow Serv_Up admin MikroTik ip firewall mangle gt add in interface Local action passthrough mark flow Local all admin MikroTik ip firewall mangle gt print Flags X disabled I invalid 0 src address 192 168 0 17 32 0 65535 in interface all dst address 0 0 0 0 0 0 65535 protocol all tcp options any icmp options any any src mac address 00 00 00 00 00 00 limit count 0 limit burst 0 limit time 0s action passthrough mark flow Serv_Up tcp mss dont chang dl src address 0 0 0 0 0 0 65535 in interface Local dst address 0 0 0 0 0 0 65535 protocol all tcp options any icmp options any any src mac address 00 00 00 00 00 00 limit count 0 limit burst 0 limit time 0s action passthrough mark flow Local all tcp mss dont chang admin MikroTik ip firewall mangle gt Add a queue to the queue tree which uses the flow mark admin MikroTik queue tree gt add name Server parent Public flow Serv_Up admin MikroTik queue tree gt add name Workst parent Public flow Local all XV lim
468. ommand history hierarchical command structure monitoring of interface status and traffic context specific hints Telnet all terminal console features SSH option cut paste of configuration Serial terminal console all terminal console features System date time setting identity setting upgrade ftp upload users access levels groups PPP access UPS monitoring APC router safe mode on power outage LCD hardware option 2 X 16 or 4 X 24 character backlit displays configurable revolving system status statistics FTP For uploading upgrade packages uploading and downloading scripts HotSpot authorization servlet pages Upgrading Remote upgrading by uploading the software packages to the router Scripting Scripts can be scheduled for executing at certain times periodically or on events All Terminal Console commands are supported in scripts Wireless Interfaces additional license purchase required 2 4 GHz Wireless 802 11b clients Aironet 4800 ISA PCI PC Cisco 340 352 ISA PCI PC MikroTik RouterOS V2 6 Reference Manual 57 MikroTik RouterOS V2 6 Specifications Sheet WaveLAN Bronze Gold Silver ISA PC Prism II chipset based cards 2 4 GHz Wireless 802 11b Access Point Prism II chipset based cards 5 2 GHz Wireless 802 11a Access Points and clients Atheros chipset based cards 5 8 GHz Wireless 10Mbps RadioLAN Synchronous additional license purchase required Protocols PPP Synchronous HDLC Cisco
469. ommands system resource gt irq print admineMikroTik Flags U unused IRQ OWNER 1 keyboard 2 APIC U 3 4 syncl 5 pel U 6 U 7 U 8 U 9 10 ether2 11 etherl U 12 13 FPU 14 IDE 1 fadmin MikroTik PORT RANGE 0 3F 0 5F 0 6F 0 8F O BF O DF O FF FO 1F7 00 33F 3C0 3DF 3F6 3F6 CF8 CFF 1000 10 1000 10 1008 10 6000 60 6000 60 6100 61 6100 61 admin WrPAAP AA BN OF 07 OF FF FF FF FF ikroTik system resource gt io print OWNER APIC timer keyboard DMA APIC DMA FPU IDE 1 pel VGA IDE 1 PCI confl Silicon Integrated Systems SiS 5513 IDE IDE 1 IDE 2 Realtek Semiconductor Co Ltd RTL 8139 8139to0 Realtek Semiconductor Co Ltd RIL 8139 2 8139to0 system resource gt Reboot and Shutdown MikroTik RouterOS V2 6 Reference Manual 387 System Resource Management The system reboot is required when upgrading or installing new software packages The packages are installed during the system shutdown Use the system reboot command to reboot the router admin MikroTik system gt reboot Reboot yes y N y system will reboot shortly Only users which are members of groups with reboot privileges can reboot the router or shutdown The reboot process sends termination signal to all running processes unmounts the file systems and reboots the router Before turning the power off for the router the system should be brought to halt us
470. on The Traceroute feature is included in the system package No installation is needed for this feature Hardware Resource Usage There is no significant resource usage Traceroute Description Traceroute shows the number of hops to the given host address of every passed gateway Traceroute utility sends packets three times to each passed gateway so it shows three timeout values for each gateway in ms The Traceroute session may be stopped when the Ctrl C is pressed admin MikroTik tool gt traceroute Trace route to host by increasing Time To Live value in sent packets and waiting for TTL expired messages from routers lt address gt port UDP port number protocol Protocol of sent packets size Packet size timeout Response wait timeout tos Type of service use dns fadmin MikroTik tool gt traceroute Descriptions of arguments address IP address of the host you are tracing route to port UDP Port number Values are in range 0 65535 protocol Type of protocol to use UDP or ICMP If one fails for example it is blocked MikroTik RouterOS V2 6 Reference Manual 412 Traceroute by a firewall try the other size Packet size in bytes 28 1428 default 64 timeout Response waiting timeout i e delay between messages Can be 1s 5s default 1s tos Type Of Service parameter of IP packet Can be 0 255 default 0 use dns specifies whether to use DNS server which can be set in ip dns me
471. on Id service name for PPPoE server IP address for PPTP interface MSN for ISDN MikroTik RouterOS V2 6 Reference Manual 150 General Point to Point Settings NAS Port TId serial port name for async PPP thernet interface name on which server is running for PPPOE User Name client login name Depending on authentication methods User Password encrypted password used with PAP auth CHAP Password CHAP Challenge encrypted password and challenge used with CHAP auth MS CHAP2 Response MS_CHAP Challenge encrypted password and challenge used with MS CHAPv2 auth Data received from server Access Accept Framed IP Address IP address given to the client If address belongs to networks 127 0 0 0 8 224 0 0 0 4 240 0 0 0 4 IP pool is used from the default profile to allocate client IP address Framed Pool IP pool name on the router from which to get IP address for the client If specified overrides Framed IP Address Tdle Timeout idle timeout parameter Session Timeout session timeout parameter Class cookie will be included in Accounting Request unchanged Framed Route routes to add on the server Format is specified in RFC2865 Ch 5 22 can be specified as many times as needed Filter Id firewall filter chain name It is used to make dynamic firewall rule that will jump to specified chain if incoming or outgoing interface is client PPP PPTP PPPoE interface Firewall chain name can have suffix
472. on the DHCP server assigns address to client from different pool It is recommended that you read_General Point to Point Setting manual first since the authentication configuration is very similar Contents of the Manual The following topics are covered in this manual e Installation Software License e Hardware Resource Usage e How MikroTik HotSpot Gateway Works 4 The Initial Contact 4 The Servlet 4 Authentication Address Assignment Logging Out e MikroTik HotSpot Gateway Setup e HotSpot RADIUS Client Setup 4 RADIUS Parameters 0 Authentication data sent to server Access Request 0 Data received from server Access Accept 0 Accounting information sent to server Accounting Request e HotSpot Profiles e HotSpot Server Settings e HotSpot User Database e HotSpot Cookies e HotSpot Step by Step User Guide Planning the Configuration Setup Example Optional Settings e Customizing the Servlet 4 Servlet Page Description Variable Description Examples MikroTik RouterOS V2 6 Reference Manual 234 HotSpot Gateway Installation The MikroTik HotSpot is included in the HotSpot package This also requires DHCP package Please download the hotspot 2 6 x npk and dhcp 2 6 x npk packages from MikroTik s web site upload them using ftp BINARY mode to router and reboot Use the system package print command to see the list of installed packages Software License The Hotspot limits active user count to 4 for De
473. ond argument is integer Result is IP address fadmin MikroTik interface gt put 0 0 0 1 lt lt 7 1 255 255 255 128 admineMikroTik interface gt e concatenation Paste together two strings or append one list to another or append an element to a list admin MikroTik interface gt put 1 3 13 admin MikroTik interface gt put 1 2 3 1253 admin MikroTik interface gt put 1 3 4 13 72 admin MikroTik interface gt put 1 2 3 4 1 27374 admin MikroTik interface gt put 1 3 1 ERROR cannot add string to integer number admin MikroTik interface gt Value types Console can work with several types of values Currently it distinguishes between strings truth values also known as booleans numbers time intervals ip addresses internal numbers and lists Currently console tries to convert any value to the most specific type first backing up if it fails This is the order in which console attempts to convert value e list e internal number e number e ip address e time value e truth value e string value MikroTik RouterOS V2 6 Reference Manual 41 Scripting Manual There is no way to explicitly control this type conversion but 1t will most likely change in future versions Meanwhile this can help to explain why console sometimes corrupts values that are meant to be strings but look like one of the above types admineMikroTik inter
474. onitor pptp status connected uptime 39m46s encoding none MikroTik RouterOS V2 6 Reference Manual 106 Ethernet over IP EolP Tunnel Interface admin Remote interface pptp client gt See the PPTP Interface Manual for more details on setting up encrypted channels 2 Configure the EoIP tunnel by adding the eoip tunnel interfaces at both routers Use the ip addresses of the pptp tunnel interfaces when specifying the argument values for the EoIP tunnel admin Our_GW interface eoip gt add name eoip remote tunnel id 0 remote address 10 0 0 2 admin Our_GW interfac oip gt enabl oip remot admin Our_GW interface eoip gt print Flags X disabled R running 0 nam oip remote mtu 1500 arp enabled remote address 10 0 0 2 tunnel id 0 admin Our_GW interface eoip gt admin Remot interfac oip gt add name eoip tunnel id 0 remote address 10 0 0 1 admin Remot interfac oip gt enabl oip main admin Remot interfac oip gt print Flags X disabled R running 0 name eoip mtu 1500 arp enabled remote address 10 0 0 1 tunnel id 0 Remote interfac oip gt 3 Enable bridging between the EoIP and Ethernet interfaces on both routers On the Our_GW admin Our_GW interface bridge gt add forward protocols ip arp other admin Our_GW interface bridge gt print Flags X disabled R running 0O X name bridgel mtu 1500 arp enabled mac address 00 00 00 00 00 00 forward proto
475. ony voice port linejack gt show stats PBX_Line round trip delay 5ms packets sent 617 bytes sent 148080 send time 31ms 30ms 29ms packets received 589 bytes received 141360 receive time 41ms 30ms 19ms average Jitter delay 59ms packets lost 0 packets out of order 0 packets too late 2 MikroTik ip telephony voice port linejack gt The average jitter delay shows the approximate delay time till the received voice packet is forwarded to the driver for playback The value shown is never less than 30ms although the actual delay time could be less If the shown value is gt 40ms then it is close 1ms to the real delay time The jitter buffer preserves quality of the voice signal against the loss or delay of packets while traveling over the network The larger the jitter buffer the larger the total delay but fewer packets lost due to timeout If the jitter buffer 0 then it is adjusted automatically during the conversation to minimize the number of lost packets The average jitter delay is the approximate average time from the moment of receiving an audio packet from the IP network till it is played back over the telephony voice port The total delay from the moment of recording the voice signal till its playback is the sum of following three delay times e delay time at the recording point approx 38ms e delay time of the IP network 1 5ms and up e delay time at the playback point the jitter delay Mik
476. oonoonononicnnnccnonccnoncconnnanonncnnnn conan ncnncn ns 129 Software Packages oroen ten ers Aa e EE a add Aita 129 Software LICENSE dsd 130 System Resource UE ii a a 130 Installing the Synchronous Adapter ooococnnccnnonoconoccnnonononcnonnnconn cacon nccnnnncnnnno nana ono nannn nc anna ncnnnccnnnnn ns 130 MOXA C101 PCI variant Cabling ssvscsccccessvesccsesclesstavdecaescscceenndesachesecedeseveeaha aa bia aa tiat 131 Loading the Driver for the MOXA C101 Synchronous Adaptel ocooooconncccnonccononanonnccnnnccnnnccnnan n 131 Synchronous Interface CONTIgUTAtIOM oooonocccnncccnonononnncnonccnnnononn ccoo nono na nnnn nc nnnn cnn nn aran nn nan nc anna na cnn ccnnnnanns 132 Frou BleShOOtn gs dd 133 Synchronous Link AppliGatiOns yes rosinicin oein diia cin dana daa Eds ee AA a rn did 133 MikroTik Router to MikroTik RQUtOL cococcccncnnnnincnonanananananananananan no nono nononcnnn nono nn nnc nono nonononocononononos 134 MikroTik Router to CISCO ROQULeL oococcccncncncncononanananananananananononon nono nonononcn nono Ae a Ti SEET 135 MOXA C502 Synchronous Interfaces sis iissecccssssccccesevscsnsesscnssessnvssecosssscssescesoessvensesssnssesneveavedsoacssssaceusacotsesers 138 OVER A la A BERET ROO RR be 138 Contents ofthe Manual yss m A ES A A BG I 138 Synchronous Adapter Hardware and Software InstallatiQN ooonnonononinnnncccnnccnoncconnnanonnccnno conan nonnncc n 138 Software Packages pneri tenies sea eE TEE ENEE TE RA EENE RET E E
477. operation prior turning on the laptop Wavelan client If the laptop Wavelan client has established the wireless link with the MikroTik router it should report the same parameters as set on the MikroTik router s wavelan interface EZ ORINOCO Client Manager File Actions Advanced Help J 6 a Current contiguration profile Ad Hoc z EA EA Status Connected to network home_link Radio connection Peer to Peer Channel Encryption Off Here we see the channel 8 which is 2447MHz frequency IP Network Configuration The IP addresses assigned to the wireless interface of the MikroTik Router should be from the network 192 168 0 0 24 admin home_gw ip address gt add interface Public address 10 1 1 12 24 admin home_gw ip address gt add interface wl home address 192 168 0 254 24 admin home_gw ip address gt print ADDRESS NETMASK NETWORK BROADCAST INTERFACE 0 10 1 1 12 A993 209820030 LOL LoLZ LO LL 299 Public 1 192 168 0 254 LIDAD Di OO 192 168 0 254 192 168 0 255 wl home admin home_gw ip address gt ip route admin home_gw ip route gt add gateway 10 1 1 254 admin home_gw ip route gt print admin MikroTik gt ip route print Flags X disabled I invalid D dynamic J rejected G connect S static R rip O ospf B bgp MikroTik RouterOS V2 6 Reference Manual 210 WaveLAN ORiINOCO 2 4GHz 11Mbps Wireless Interface DST ADD
478. or bridge frequency that AP will use to create BSS 5180 5200 5220 5240 5260 5280 5300 5320 ssid Service Set Identifier In station mode ssid to connect to in AP ssid to use when creating BSS this can not be left blank default authentication only ap bridge or bridge what to do with a client that wants to associate but it is not in the access list default forwarding only ap bridge or bridge what to do with a client that wants to MikroTik RouterOS V2 6 Reference Manual 69 Atheros 5GHz 54Mbps Wireless Interface send packets to other wireless clients but it is not in the access list max clients only ap bridge or bridge maximum number of clients including other access points that is allowed to associate with this access point 1 2007 supported rates Rates at which this node will work 6Mbps 9Mbps 12Mbps 18Mbps 24Mbps 36Mbps 48Mbps 54Mbps basic rates only ap bridge or bridge Rates that every client that plans to connect to this AP should be able to work at protocol One of the 802 11 standard timing settings as suggested by 802 1 1a standard turbo mode atheros turbo mode uses double the amount of radio frequency allowing faster speeds ptp turbo mode atheros turbo mode with speed optimised timing settings to be used in ptp links ack time time in microseconds to wait for ack packet for unicast transmissions should be increased for long distance l
479. originated from the router or masqueraded packets It is because these packets have source address 0 0 0 0 at the moment when they are processed by the routing table Therefore it is not possible to match masqueraded packets by source address with policy routing rule You should use matching by flow together with packet marking instead When finding the route for a packet the packet is matched against policy routing rules one after another until some rule matches the packet Then action specified in that rule is executed If no rule matches the packet it is assumed that there is no route to given host and appropriate action is taken packet dropped and ICMP error sent back to the source If the routing table does not have a route for the packet next rule after the one that directed to current table is examined until either route is found end of rule list is reached or some rule with action drop or unreachable is hit This way it is good to have last rule say from everywhere to everywhere all interfaces lookup main route table because then gateways can be found connected routes are entered in the main table only Action for the rule can be one of e drop silently drop packet e unreachable reply that destination host is unreachable e lookup lookup route in given routing table Note that the only way for packet to be forwarded is to have some rule direct to some routing table that contains route to packet destination
480. ort phone direction port to ip line status unplugged phone number 13 remote party name PBX_Line 10 1 1 12 codec G 723 1 6 3k hw duration 16s admin Joe ip telephony voice port linejack gt Use the telephony logging feature to debug your setup Setting up the IP Telephony Gateway QuickNet LineJACK Voicetronix Zaptel Wildcard or ISDN see the appropriate manual card and the MikroTik RouterOS telephony package should be installed in the MikroTik router IP telephony gateway 10 1 1 12 A PBX line should be connected to the line port of the card For LineJACK card the LED next to the line port should be green not red The IP telephony gateway voip_gw requires the following configuration 1 Set the regional setting to match our PBX The mikrotik seems to be best suited admin voip_gw admin voip_gw Flags X disabled 0 name linejack1 autodial ip telephony voice port linejack gt set linejackl region mikrotik ip telephony voice port linejack gt print region mikrotik playback volume 0 record volum 0 ring cadenc MAS take agc on playback no agc on record no aec yes aec tail length short aec nlp threshold low MikroTik RouterOS V2 6 Reference Manual 293 IP Telephony aec attenuation scaling 4 aec attenuation boost 0 software aec no detect cpt yes admin voip_gw ip telephony voice port linejack gt 2 Add a voip voice port to the ip telephony voice port
481. orted Network Roles Wireless Client Wireless Access Point Wireless Bridge e Installation License System Resource Usage Installing the Wireless Adapter Loading the Driver for the Wireless Adapter e Wireless Interface Configuration e Station Mode Configuration e Monitoring the Interface Status e Access Point Mode Configuration Registration Table 4 Access List Registering the Access Point to another Access Point e Troubleshooting e Wireless Network Applications Wireless Client Wireless Access Point Wireless Bridge e Supported Hardware Supported Network Roles Wireless Client The Atheros interface can be configured to act as an IEEE 802 11a wireless client station to associate with an access point MikroTik RouterOS V2 6 Reference Manual 67 Atheros 5GHz 54Mbps Wireless Interface Wireless Access Point The Atheros interface can be configured to act as an IEEE 802 11a wireless access point The access point can register wireless clients Wireless Bridge This is limited version of the Access Point mode that allows only one client to be registered but does not require the AP feature license only the 2 4GHz Wireless license Thus it is possible to create point to point links and bridge networks over wireless links Installation The MikroTik Router should have the atheros software package installed The software package file atheros 2 6 x npk can be downloaded from MikroTik s web page
482. ot require a manual driver loading since they are recognized automatically by the system and the driver is loaded at the system startup The Prism driver is not shown under the driver list If you have wireless feature license prism interface should show up under the interface list MikroTik RouterOS V2 6 Reference Manual 176 Prismll Wireless Client and Wireless Access Point Manual There can be several reasons for a failure to load the driver for example e The driver cannot be loaded because there are too many PCMCIA slots on Your system more than 8 Consult the driver manual Notes on PCMCIA Adapters e The driver cannot be loaded because other device uses the requested IRQ Try to set the IRQ assignment to PCI slots using the system BIOS configuration Usually two consecutive beeps of high tone can be heard during the startup of the MikroTik RouterOS router with PCMCIA Prismll card If the second beep has a lower tone or there is only one lower tone beep most likely there is a compatibility problem with the motherboard Try to use another type of motherboard Wireless Interface Configuration If the driver has been loaded successfully and you have the required 2 4GHz Wireless Software License then the Prism II 2 4GHz Wireless interface should appear under the interface list with the name prismX where X is 1 2 You can change the interface name to a more descriptive one using the set command To enable the interface use
483. oteOffice interface pptp enabled yes mtu 1460 mru 1460 authentication mschap2 default profile default admin RemoteOffice interface pptp server server gt n rver server gt set enabled yes rver server gt print n Finally the proxy APR must be enabled on the Office interface admin RemoteOffice interfac thernet gt set Office arp proxy arp admin RemoteOffice interfac thernet gt print Flags X disabled R running NAME MTU MAC ADDRESS ARP O R ToInternet 1500 00 30 4F 0B 7B C1 enabled 1 R Office 1500 00 30 4F 06 62 12 proxy arp admin RemoteOffice interfac thernet gt PPTP Setup for Windows Microsoft provides PPTP client support for Windows NT 2000 ME 98se and 98 Windows 98se 2000 and ME include support in the Windows setup or automatically install PPTP For 95 NT and 98 installation requires a download from Microsoft Many ISPs have made help pages to assist clients with Windows PPTP installation Links http www real time com Customer Support PPTP Config pptp_config html http www microsoft com windows95 downloads contents WUAdminTools S_WUNetworkingTools W95 Winsock Sample instructions for PPTP VPN installation and client setup Windows 98se If the VPN PPTP support is installed select Dial up Networking and Create a new connection The option to create a VPN should be selected If there is no VPN options then follow the installation inst
484. ource Usage There is no significant resource usage Backup and Restore Description Backup and Restore feature can be found under system backup submenu This function is used to store the entire router configuration in a backup file The file is stored in the file folder under admin MikroTik file gt You can download this file via ftp to keep it as a backup for your configuration To restore the system configuration for example after a system reset you can upload that file via ftp and then load that backup file using load command in system backup submenu Backup and Restore Examples To make a backup file use the following command admin MikroTik system backup gt save name test Configuration backup saved admin MikroTik system backup gt To see the files stored on the router use the following command admin MikroTik gt file print NAME TYPE SIZE CREATION TIME O MikroTik 12082002 2107 backup backup 12567 aug 12 2002 21 07 50 MikroTik RouterOS V2 6 Reference Manual 366 Backup and Restore fadmin MikroTik gt To load the saved backup file use the following command admin MikroTik system backup gt load name test Restore and reboot y N The restored configuration is loaded and the router is rebooted Copyright 1999 2002 MikroTik MikroTik RouterOS V2 6 Reference Manual 367 Liquid Crystal Display LCD Manual Document revision 02 Dec 2002 This document applies t
485. ous Interface Configuration e Troubleshooting e Synchronous Link Applications MikroTik Router to MikroTik Router Synchronous Adapter Hardware and Software Installation Software Packages The MikroTik Router should have the FarSync X 21 synchronous software package installed The software package file farsync 2 6 x npk about 110 Kb can be downloaded from MikroTik s web page www mikrotik com To install the package please upload the correct version file to the router and reboot Use BINARY mode ftp transfer After successful installation the package should be listed under the installed software packages list Software License The FarSync X 21 Synchronous Adapter requires the Synchronous Feature License One license is for one installation of the MikroTik RouterOS disregarding how many cards are installed in one PC box The Synchronous Feature is not included in the Free Demo or Basic Software License The Synchronous Feature cannot be obtained for the Free Demo License It can be obtained only together with the Basic Software License Synchronous Interface Configuration You can change the interface name to a more descriptive one using the set command To enable the interface use the enable command admin MikroTik gt interface print Flags X disabled D dynamic R running NAME TYPE MTU O R etherl ether 1500 1 X farsyncl farsync 1500 MikroTik RouterOS V2 6 Reference Manual 108 FarSync X 21 Interface
486. outerOS The pppoe 2 6 x npk package and the ppp 2 6 x npk are required The packages can be downloaded from MikroTik s web page www mikrotik com To install the packages please upload them to the router with ftp and reboot MikroTik RouterOS V2 6 Reference Manual 160 Point to Point Protocol over Ethernet PPPoE PPPOE hardware resource usage The PPPoE client uses a minimum amount of memory The PPPoE server access concentrator uses a minimum amount of memory for the basic setup Each current PPPoE server connection uses approximately 100 200KB of memory For PPPoE servers access concentrators designed for a large number of PPPoE connections additional RAM should be added In version 2 6 there is currently a maximum of 5000 connections For example a 1 000 user system should have 200MBs of free RAM above the normal operating RAM For large number of clients a faster processor system is required We recommend to use a Celeron 600MHz processor or higher A future rewrite of parts of PPP is expected to significantly reduce the requirements PPPOE Client Setup The PPPoE client supports high speed connections It is fully compatible with the MikroTik PPPoE server access concentrator Test with different ISPs and access concentrators are currently underway Note for Windows Some connection instructions may use the form where the phone number is MikroTik_AC mt1 to indicate that MikroTik_AC is the access concentra
487. p arsinfo cit buffalo edu FAO fag cgi pke ISC 20DHCP O Copyright 1999 2002 MikroTik MikroTik RouterOS V2 6 Reference Manual 215 DNS Cache Document revision 16 Oct 2002 This document applies to the MikroTik RouterOS V2 6 Overview DNS cache is used to minimize DNS requests to an external DNS server as well as to minimize DNS resolution time This is a simple recursive DNS server without any local items DNS protocol is described in RFC1035 and related documents Contents of the Manual The following topics are covered in this manual e Installation e Hardware Resource Usage e DNS Cache Description e DNS Cache Setup e Monitoring DNS Cache e Additional Resources Installation The DNS cache feature is included in the dns cache package The package file dns cache 2 6 x npk can be downloaded from MikroTik s web page www mikrotik com To install the package please upload it with ftp in BINARY mode to the router and reboot Use the system package print command to see the list of installed packages Hardware Resource Usage The feature uses a minimum of resources But if you plan to use larger cache then it is by default you should monitor RAM usage DNS Cache Description The MikroTik router with DNS cache feature enabled can be set as primary DNS server for any DNS compliant clients Moreover MikroTik router can be specified as primary DNS server under its dhcp server settings When the DNS cache is
488. pf B bgp DST ADDRESS G GATEWAY DISTANCE INTERFACE 0 S 0 0 0 0 0 E Lale lee dl farsyncl 1 DC 10 0 0 0 24 r 10 0 0 254 1 ether2 2 DC 192 168 0 0 24 r 192 168 0 254 0 etherl 3 DE LLL 2 32 120000 0 farsyncl admin MikroTik ip route gt The configuration of the Mikrotik router at the other end is similar admin MikroTik ip address gt add address 1 1 1 2 32 interface fsync network 1 1 1 1 broadcast 255 255 255 255 admin MikroTik ip address gt print Flags X disabled I invalid D dynamic ADDRESS NETWORK BROADCAST INTERFACE 0 10 1 1 12 24 TOF Lido V2 10rd 255 Public Lele tu2 732 Te Lalat 2559429572994295 ESync admin MikroTik ip address gt ping 1 1 1 1 1 1 1 1 64 byte pong tt1 255 time 31 ms 1 1 1 1 64 byte pong tt1l 255 time 26 ms 1 1 1 1 64 byte pong tt1l 255 time 26 ms 3 packets transmitted 3 packets received 0 packet loss round trip min avg max 26 27 6 31 ms admin MikroTik ip address gt Copyright 1999 2002 MikroTik MikroTik RouterOS V2 6 Reference Manual 112 FrameRelay PVC Interfaces Document revision 14 Aug 2002 This document applies to MikroTik RouterOS v2 6 Overview Frame Relay is a multiplexed interface to packet switched network Frame Relay is a simplified form of Packet Switching similar in principle to X 25 in which synchronous frames of data are routed to different destinations depending on header i
489. point application cleared call 1 Local endpoint did not accept call 2 Local endpoint declined to answer call 4 3 Remote endpoint application cleared call 4 Remote endpoint refused call 5 Remote endpoint did not answer in required time 6 Remote endpoint stopped calling 7 Transport error cleared call 8 Transport connection failed to establish call 9 Gatekeeper has cleared call 10 Call failed as could not find user in GK 11 Call failed as could not get enough bandwidth 12 Could not find common capabilities 13 Call was forwarded using FACILITY message 14 Call failed a security check and was ended 15 Local endpoint busy 16 Local endpoint congested 17 Remote endpoint busy 18 Remote endpoint congested 19 Could not reach the remote party 20 The remote party is not running an endpoint 21 The remote party host off line 22 The remote failed temporarily app may retry h323 disconnect time session disconnect time only in INTERIM UPDATE and STOP records h323 connect time session establish time only in INTERIM UPDATE and STOP records h323 gw id name of gateway emitting message should be equal to NAS Identifier h323 call type call leg type should be VoIP h323 call origin indicates origin of call relative to gateway answer for calls from IP network originate to IP network
490. port CBQ RED SFQ byte limited queue packet limited queue Point to Point links ISDN dial out ISDN dial in RADIUS authentication accounting onboard serial ports PPTP encrypted tunnel VPN PPTP Access Concentrator PPPoE client PPPoE Access Concentrator server modem pool Tunnels IPIP tunnels EoIP Ethernet over IP IPsec IP encryption IPsec VLAN Virtual LAN support DHCP DHCP server per interface DHCP client HotSpot HotSpot Gateway NTP Network Time Protocol server and client Monitoring Accounting IP traffic accounting firewall actions logging Tools ping traceroute bandwidth test ping flood telnet DNS client name resolving for local use Dynamic DNS Client SNMP MikroTik RouterOS V2 6 Reference Manual 56 MikroTik RouterOS V2 6 Specifications Sheet read only access Special Protocols 4 MikroTik Packet Packer Protocol M3P For Wireless links and for Ethernet MikroTik Neighbor Discovery Protocol MNDP Caching Features e DNS cache e SQUID caching proxy Administration General History undo redo display multiple administrator connections Real time updates in WinBox GUI real time configuration Web GUI Uses GUI tool for remote administration graphing of traffic statistics and resource monitoring multiple internal configuration windows Terminal Console standard keyboard and monitor connection scripting import export of configuration scripts to screen file c
491. r experimental for most of the cards MikroTik RouterOS V2 6 Reference Manual 281 IP Telephony agc on playback automatic gain control on playback can not be used together with hardware voice codecs agc on record automatic gain control on record can not be used together with hardware voice codecs detect cpt automatically detect call progress tones For linejacks there is a command blink voiceport which blinks the LEDs of the specified voiceport for five seconds after it is invoked This command can be used to locate the respective card under several linejack cards Voice Port for ISDN All commands relating the ISDN voice ports are listed under the ip telephony voice port isdn menu In contrary to the phonejack and linejack voice ports which are as many as the number of cards installed the isdn ports can be added as many as desired admin MikroTik ip telephony voice port isdn gt print Flags X disabled 0 name isdnl autodial region germany msn 140 Imsn playback volume 0 record volume 0 agc on playback no agc on record no software aec no aec yes aec tail length short admin MikroTik ip telephony voice port isdn gt Argument descriptions name Name given by the user or the default one msn Telephone number of the ISDN voice port ISDN MSN number Imsn msn pattern to listen on It determines which calls from the ISDN line this voice port should answer If left empt
492. r mode NTP client connects to specified NTP server IP address of NTP server must be set in ntp server and or second ntp server parameters At first client synchronizes to NTP server Afterwards client periodically 64 1024s sends time requests to NTP server Unicast mode is the only one which uses ntp server and second ntp server parameters e In broadcast mode NTP client listens for broadcast messages sent by NTP server After receiving first broadcast message client synchronizes local clock using unicast mode and afterwards does not send any packets to that NTP server It uses received broadcast messages to adjust local clock e Multicast mode acts the same as broadcast mode only instead of broadcast messages IP address 255 255 255 255 multicast messages are sent IP address 224 0 1 1 e Manycast mode actually is unicast mode only with unknown IP address of NTP server To discover NTP server client sends multicast message IP 239 192 1 1 If NTP server is configured MikroTik RouterOS V2 6 Reference Manual 377 Network Time Protocol NTP to listen for these multicast messages manycast mode is enabled it replies After client receives reply it enters unicast mode and synchronizes to that NTP server But in parallel client continues to look for more NTP servers by sending multicast messages periodically Status of NTP client can be monitored by looking at status parameter There are several possible statuses e stopp
493. r message 1f previous login failed invalid username or password input_user name and value of username input field name user value john input_password name of password input field name password input_popup name and value of popup input field name popup checked MikroTik RouterOS V2 6 Reference Manual 246 HotSpot Gateway form_input name of input form and JavaScript for password encoding name login onSubmit main MDS encryption JavaScript and form for encrypted password Note that it is required login page to use use main variable And it is strongly suggested to place it BEFORE form_input input form Otherwise situation can happen that user already has entered his username password but MDS encryption JavaScript is not yet loaded It may result in password being sent over ethernet in plain text And of course that login will fail in this case too e alogin html link_redirect page to which redirect has to be done for example http www mt lv login_time time in seconds after which redirect has to be done 9 popup true if alogin html should pop up status page in new window false otherwise e status html logout html information on logged in user 4 username name john ip IP address 192 168 0 222 mac MAC address 01 02 03 04 05 06 uptime logged in time 10h2m33s session timeout session timeout left for user 5h or
494. r referencing 1t from policy pfs group Diffie Helman group used for Perfect Forward Secrecy Proposals on both peers must at least partially match The more they match the better Installed SA Prints a lot of information about each installed SA including keys admin MikroTik ip ipsec installed sa gt print Flags A AH E ESP P pfs M manual 0 E spi 21237B07 direction out src address 10 0 0 204 MikroTik RouterOS V2 6 Reference Manual 263 IPsec dst address 10 0 0 201 auth algorithm shal enc algorithm 3des replay 4 state mature auth key 3c1f4a3f5d2014e565f9f3fb671bab89056febb5 enc key 725d43ed2742530a257d19dd3670225 ea7a50060aa760a3 add lifetime 24m 30m use lifetime 0s 0s lifebytes 0 0 current addtime no0v 24 2008 14 28 42 current usetime jan 01 1970 00 00 00 current bytes 0 1 E spi FAACF20D direction in src address 10 0 0 201 dst address 10 0 0 204 auth algorithm shal enc algorithm 3des replay 4 state mature auth key ackb0c8c3dc81f3ff5f92cbc15c49c7a710f9efa5s enc key a50c04b44904c07009c3e218760f3827493579172b29 bcfa add lifetime 24m 30m use lifetime 0s 0s lifebytes 0 0 current addtime nov 24 2008 14 28 42 current usetime jan 01 1970 00 00 00 current bytes 0 admin MikroTik ip ipsec installed sa gt Description of the printout spi SPI value of SA in hexadecimal replay size of replay window in bytes state larval mature dying or dead auth algorithm none md5
495. ransparent proxy and redirected TCP port 80 to it my WinBox stopped working TCP port 80 is used by WinBox when connecting to the router You should exclude the router s address 80 from redirection by using rule MikroTik RouterOS V2 6 Reference Manual 320 WEB Proxy ip firewall src nat add dst address address 32 80 protocol tcp action accept BEFORE the redirect rule Alternatively you can use just one rule ip firewall src nat add dst address address 32 80 protocol tcp action redirect to dst port 8080 e I use firewall to block access to the router from the Internet My proxy does not work Make sure you allow established TCP connections with tcp option non syn only to the router before blocking everything else The rule is like this ip firewall rule input add protocol tcp tcp options non syn only connection state established Copyright 1999 2002 MikroTik MikroTik RouterOS V2 6 Reference Manual 321 Queues and Bandwidth Management Document revision 17 Jan 2003 This document applies to the MikroTik RouterOS V2 6 Overview Queuing is a mechanism that control bandwidth allocation delay variability timely delivery and delivery reliability The MikroTik RouterOS supports the following queuing mechanisms PFIFO Packets First In First Out BFIFO Bytes First In First Out SFQ Stochastic Fair Queuing RED Random Early Detection The queuing can be used for limiting the bandwidth
496. remote router must be MikroTik router in order to run the test Be aware that default test uses all available bandwidth and may impact network usability lt address gt assume lost time direction Direction of data flow do duration interval local tx speed once print statistics once and quit password Password for remote user protocol Protocol to use for test remote tx speed size UDP packet size or TCP segment size user admineMikroTik tool gt bandwidth test Descriptions of arguments MikroTik RouterOS V2 6 Reference Manual 404 Bandwidth Test address IP address of destination host assume lost time If Bandwidth Server is not responding for that time assume that connection is lost direction specify the direction of the test receive transmit both default is transmit do Script source duration Duration of the test interval Delay between messages in seconds Default is 1 second Can be 20ms 5s local tx speed Transfer test maximum speed given in bits per second password Password for remote user protocol Type of protocol to use UDP or TCP default TCP remote tx speed Receive test maximum speed given in bits per second size Packet size in bytes 50 1500 default 512 Works only with UDP protocol user Remote user Bandwidth Test Example admin MikroTik tool gt bandwidth test 10 0 0 202 user admin direction both protocol udp size 1500 duratio
497. requency 5180MHz ssid testing supported rates 6 54 basic rates 6 protocol 802 11 standard ack time 26 default authentication yes default forwarding yes max clients 2007 admineMikroTik interface atheros gt The non root access point will register the clients only if it is registered to the root access point Having one access point registered to another one enables bridging the networks if bridging mode between atheros and ethernet interfaces is used Note that in the station mode bridging cannot be used between atheros and ethernet interfaces Troubleshooting The atheros interface does not show up under the interfaces list Obtain the required license for 2 4GHz wireless feature The access list has entries restricting the registration but the node is still registered Set some parameter of the atheros interface to get all nodes re register MikroTik RouterOS V2 6 Reference Manual 73 Atheros 5GHz 54Mbps Wireless Interface e The wireless card does not register to the AP Check the cabling and antenna alignment Check 1f you have correct settings for supported rates and basic rates The default supported rates 6Mbps 9Mbps 12Mbps 18Mbps 24Mbps 36Mbps 48Mbps 54Mbps and basic rates 6Mbps should work for all nodes on your system e There is occasional packet loss when I ping the wireless client Packet loss is due to attempts to change the transmit data rate to a higher one For lower qual
498. ress the packet has been received from src netmask Source netmask in decimal form x x x x src port Source port number or range 0 65535 0 means all ports 1 65535 in interface interface the packet has entered the router through If the default value all 1s used it may include the local loopback interface for packets originated from the router tep mss MANGLE only The new TCP Maximum Segment Size MSS value MTU minus 40 or dont change tcp options all syn only non syn only non syn only is for all other options than syn only connection state any established invalid new related The connection state flow Flow mark to match Only packets marked in the MANGLE would be matched jump target Name of the target chain if the action jump is used log Log the action yes no To view the byte and packet counters use commands print bytes print packts To reset the counters use the command reset counters If the packet matches the criteria of the rule then the performed ACTION can be e accept Accept the packet No action 1 e the packet is passed through without undertaking any action except for mangle and no more rules are processed in the relevant list chain e drop Silently drop the packet without sending the ICMP reject message e jump jump to the chain specified by the value of the jump target argument e passthrough ignore this rule
499. ressed 0 pkts not compressed 0 pkts compr failed 0 pkts decompress failed 0 send errors 0 recv errors 0 local crypto endpt 10 0 1 2 remote crypto endpt 10 0 1 1 path mtu 1500 media mtu 1500 current outbound spi 1308650C inbound esp sas spi 0x90012A 9437482 transform esp des esp sha hmac in use settings Tunnel slot 0 conn id 2000 flow_id 1 crypto map mymap sa timing remaining key lifetime k sec 4607891 1034 IV size 8 bytes replay detection support Y inbound ah sas inbound pcp sas outbound esp sas spi 0x1308650C 319317260 transform esp des esp sha hmac in use settings Tunnel slot 0 conn id 2001 flow_id 2 crypto map mymap sa timing remaining key lifetime k sec 4607893 1034 IV size 8 bytes replay detection support Y outbound ah sas outbound pcp sas IPsec setup between RouterOS router and Windows SonicWall Client IPSec setup of RouterOS router as a Security Gateway for SonicWALL VPN client ji oroe ae Configuring remote access of 1 1 1 0 network through 10 0 0 204 RouterOS router 10 0 0 204 1 1 1 00124 RouterOS MikroTik RouterOS V2 6 Reference Manual 269 Configuring RouterOS IPsec 1 Add peer configuration Use Triple DES and SHA 1 algorithms to protect phase 1 traffic Set proposal check to obey to allow remote client to connect even if lifetime and pfs settings in its proposal don t match
500. resses will be gathered from ip arp statically MikroTik RouterOS V2 6 Reference Manual 177 Prismll Wireless Client and Wireless Access Point Manual set table only mode Mode of the interface station card works as station client for the wireless infrastructure bridge card works as access point but can register only one client or access point ap bridge card works as access point i e it creates wireless infrastructure root ap only ap bridge or bridge MAC address of the root access point to register to frequency only ap bridge or bridge Frequency that AP will use to create BSS ssid Service Set Identifier In station mode ssid to connect to in AP and P2P mode ssid to use when creating BSS this can not be left blank default authentication only ap bridge or bridge What to do with client that wants to associate but it is not in the access list default forwarding only ap bridge or bridge What to do with client that wants to send packets to other wireless clients but it is not in the access list max clients only ap bridge or bridge Maximum number of clients including other access points that is allowed to associate with this access point 1 2007 card type Card type used for power settings 100mW 200mW 30mW generic default is generic tx power Transmit power level 0dBm 1ImW 23dBm 200mW auto Has no effect if card type is generic auto means
501. rface atherosl admin MikroTik interface atheros access list gt print Flags X disabled 0 mac address 00 06 AB 00 37 72 interface atherosl authentication yes forwarding yes admin MikroTik interface atheros access 1list gt Argument description mac address MAC address of the client interface AP interface authentication accept this client when it tries to connect or not forwarding forward the client s frames to other wireless clients or not If you have default authentication action for the interface set to yes you can disallow this node to register at the AP s interface atheros by setting authentication no for it Thus all nodes except this one will be able to register to the interface atheros1 If you have default authentication action for the interface set to no you can allow this node to register at the AP s interface atheros1 by setting authentication yes for it Thus only the specified nodes will be able to register to the interface atheros1 Registering the Access Point to another Access Point You can configure the access point to registering to another root access point by specifying the MAC address of the root access point admin MikroTik interface atheros gt set atherosl root ap 00 06 AB 00 37 75 admin MikroTik interface atheros gt print Flags X disabled R running O R name atheros1 mtu 1500 mac address 00 06 AB 00 37 8F arp enabled mode ap bridge root ap 00 06 AB 00 37 75 f
502. rgument names arguments that have only several possible values like names of items in some lists or name of protocol in firewall and NAT rules You can t complete numbers IP addresses and similar values Note that pressing TAB key while entering IP address will do a DNS lookup instead of completion If what is typed before cursor is a valid IP address it will be resolved to a DNS name reverse resolve otherwise it will be resolved directly i e to an IP address To use this feature DNS server must be configured and working To avoid input lockups any such lookup will timeout after half a second so you might have to press TAB several times before name is actually resolved It is possible to complete not only beginning but also any distinctive substring of name if there is no exact match console starts looking for words that have string being completed as first letters of a multiple word name or that simply contain letters of this string in the same order If single such word is found it is completed at cursor position For example fadmin MikroTik gt interface x TAB _ admineMikroTik gt interface export _ x is completed to export because no other word in this context contains x admineMikroTik gt interface mt TAB _ admineMikroTik gt interface monitor traffic _ No word begins with letters mt but it is an abbreviation of monitor traffic Another way to press fewer keys while typing is to abbreviate comma
503. rgument which must be a condition that is an expression that must return truth value If computing condition returns true commands that are given as value for do argument are executed otherwise else commands are else argument is optional admin MikroT true Sikes se TE admin MikroTik gt 10 0 0 1 pong timeout L packets transmitted gateway unreachable admin MikroTik gt yes do put yes else put no if ping 10 0 0 1 count 1 0 do put gateway unreachable O packets received 100 packet loss There are four loop control commands in console They all have do argument which is the console commands that have to be executed repeatedly e while This command has one unnamed argument a condition It is evaluated every time before executing do commands If result is not a truth value error is reported If the result of condition is true commands are executed once and the condition is evaluated again and this is repeated until condition returns false do It has one unnamed argument which is the console commands that must be executed It is similar to the do argument of other commands If no other arguments are given do just executes this command once There is not much use in that If you specify a condition as a value for while argument it is evaluated after executing commands and if it returns true commands are executed again and this is repeated until the condition returns false If you
504. ridge port gt print Flags X disabled INTERFACE BRIDGE 0 etherl bridgel 1 atherosl bridgel admin MikroTik interface bridge port gt 3 Enable the bridge interface admin MikroTik interface gt print Flags X disabled D dynamic R running NAME TYPE MTU O R etherl ether 1500 1 R atherosl atheros 1500 2 X bridgel bridge 1500 admin MikroTik interface gt enable bridgel admin MikroTik interface gt print Flags X disabled D dynamic R running NAME TYPE MTU O R etherl ether 1500 1 R atherosl atheros 1500 2 R bridgel bridge 1500 admin MikroTik interface gt 4 Assign an IP address to the bridge interface and specify the default gateway for the access point admin MikroTik ip address gt add address 10 0 0 250 24 interface bridgel admin MikroTik ip address gt print Flags X disabled I invalid D dynamic ADDRESS NETWORK BROADCAST INTERFACE 0 10 0 0 250 24 10 0 0 0 10 00 295 bridgel admin MikroTik ip address gt route add gateway 10 0 0 1 admin MikroTik ip address gt route print Flags X disabled I invalid D dynamic J rejected C connect S static R rip O ospf B bgp DST ADDRESS G GATEWAY DISTANCE INTERFACE 0 S 0 0 0 0 0 110001 1 bridgel 1 DC 10 0 0 0 24 PO 00650 0 bridgel admin MikroTik ip address gt The client router requires the System Service Identifi
505. ridgel 1 10 1 1 12 24 LOZE otw Q 10 1 L 259 wavelanl admin MikroTik ip address gt Note Assigning IP address to bridged interfaces ether1 or ether2 has no sense Thus when you assign some interface to a bridge move its IP address to it at the same time Hosts on LAN segments 1 and 2 should use IP addresses from the same network 192 168 0 0 24 and have the default gateway set to 192 168 0 254 MikroTik router Bridge Monitoring The bridge can be monitored in real time The bridging table shows the MAC address of hosts interface which can forward packets to the host and the age of the information shown in seconds admin MikroTik interface bridge host gt print Flags L local BRIDGE AC ADDRESS ON INTERFACE AGE bridgel 00 00 B4 5B A6 58 etherl 4m48s bridgel 00 30 4F 18 58 17 etherl 4m50s L bridgel 00 50 08 00 00 F5 etherl Os L bridgel 00 50 08 00 00 F6 ether2 Os bridgel 00 60 52 0B B4 81 etherl 4m50s bridgel 00 C0 DF 07 5E E6 etherl 4m46s bridgel 00 E0 C5 6E 23 25 ether2 4m48s bridgel 00 E0 F7 7F 0A B8 etherl 1s admin MikroTik interface bridge host gt MikroTik RouterOS V2 6 Reference Manual 83 Bridge Interface Bridge Firewall Traffic between bridged interfaces can be firewalled The arguments used here are almost the same as for general firewalling action Action to undertake if the packet matches the rule see below dst ad
506. right 1999 2002 MikroTik MikroTik RouterOS V2 6 Reference Manual 332 Open Shortest Path First OSPF Routing Protocol Document revision 18 Jan 2003 This document applies to the MikroTik RouterOS V2 6 Overview MikroTik RouterOS implements OSPF Version 2 RFC 2328 The OSPF protocol is on the link state protocol that takes care of the routes in the dynamic network structure that can employ different paths to its subnetworks It always chooses shortest path to the subnetwork first OSPF distributes routing information between routers belonging to a single autonomous system AS An AS is a group of routers exchanging routing information via a common routing protocol Contents of the Manual The following topics are covered in this manual e Installation e Hardware Resource Usage e OSPF Description e OSPF Setu 4 Setting the Basic OSPF Argument Values OSPF Areas 4 OSPF Network 4 OSPF Interfaces OSPF Virtual Links OSPF Neighbours Running OSPF e OSPF Troubleshooting e Additional Resources e OSPF Application Examples e OSPF Backup without using Tunnel OSPF Main Router Setup OSPF peer 1 Router Setup OSPF peer 2 Router Setup Routing Tables Routing Tables with Revised Link Cost Functioning of the Backup e OSPF Backup using Encrypted Tunnel through a Third Party Installation The OSPF feature is included in the ospf package The package file ospf 2 6 x npk can be downloaded from MikroTik s w
507. rint Flags X disabled D dynamic H hotspot ADDRESS MAC ADDRESS EXPIRES A SERVER STATUS 0D 10 0 0 202 00 04 EA 99 63 C4 1h47m24s dhcp office bound de De 0 5 2 0 00 04 EA C6 0E 40 1h54m9s switch bound 2 D gt OZ OL 00 04 EA 99 63 C0 1h48m1s switch bound 3D 10 0 0 201 00 00 E8 69 68 FE 2h40m4s dhcp office bound admin MikroTik ip dhcp server gt MikroTik RouterOS V2 6 Reference Manual 214 DHCP Client and Server Static Leases To assign static IP address for DHCP client static leases can be used Static leases can be assigned to MAC addresses using lease add command admin MikroTik ip dhcp server lease gt print Flags X disabled D dynamic H hotspot ADDRESS MAC ADDRESS EXPIRES A SERVER STATUS 0D 10 5 2 90 00 04 EA C6 0E 40 1h48m59s switch bound 1D 105 291 00 04 EA 99 63 C0 1h42m51s switch bound admin MikroTik ip dhcp server lease gt add copy from 0 address 10 5 2 100 admin MikroTik ip dhcp server lease gt print Flags X disabled D dynamic H hotspot ADDRESS MAC ADDRESS EXPIRES A SERVER STATUS ToD 045 294 00 04 EA 99 63 C0 1h42m18s switch bound 2 10 5 2 100 00 04 EA C6 0E 40 1h48m26s switch bound admin MikroTik ip dhcp server lease gt Leases assigned dynamically by the DHCP server are shown as dynamic Printout description use print detail to see all arguments
508. rint detail Flags X disabled I invalid D dynamic J rejected C connect S static R rip O ospf B bgp 0 DC dst address 192 168 0 0 24 preferred source 192 168 0 254 gateway 0 0 0 0 gateway state reachable distance 0 interface Local 1 DC dst address 10 0 0 0 24 preferred source 10 0 0 217 gateway 0 0 0 0 gateway state reachable distance 0 interface Public admin MikroTik ip route gt These routes show that IP packets with destination to 10 0 0 0 24 would be sent through the interface Public whereas IP packets with destination to 192 168 0 0 24 would be sent through the interface Local However you need to specify where the router should forward packets which have destination other than networks connected directly to the router This is done by adding the default route destination 0 0 0 0 netmask 0 0 0 0 In this case it is the ISP s gateway 10 0 0 1 which can be reached through the interface Public admin MikroTik ip route gt add gateway 10 0 0 1 admin MikroTik ip route gt print Flags X disabled I invalid D dynamic J rejected Cc connect S static R rip O ospf B bgp DST ADDRESS G GATEWAY DISTANCE INTERFACE 0 S 0 0 0 0 0 r 10 0 0 1 1 Public 1 DC 192 168 0 0 24 r 0 0 0 0 0 Local 2 DC 10 0 0 0 24 E 0204030 0 Public admin MikroTik ip route gt Here the default route is listed under 0 As we see the gateway 10 0 0 1 can be reached through t
509. rip O ospf B bgp DST ADDRESS G GATEWAY DISTANCE INTERFACE 0 S 0 0 0 0 0 r 10 0 0 1 1 ether6 1 DC 192 168 1 0 24 r 0 0 0 0 0 ether4 2 DC 10 10 10 0 24 r 0 0 0 0 0 prisml 3 DC 10 0 0 0 24 E 00030 0 ether6 admin MikroTik ip route gt Notice that prompt changes to show where in the command hierarchy you are located at the moment To change to top level type admin MikroTik ip route gt admineMikroTik gt To move up one command level type admin MikroTik ip route gt admin MikroTik ip gt You can also use and to execute commands from other levels without changing the current level admin MikroTik ip route gt ping 10 0 0 10 10 0 0 10 64 byte pong tt1 128 time 5 ms 10 0 0 10 64 byte pong tt1 128 time 6 ms 2 packets transmitted 2 packets received 0 packet loss round trip min avg max 5 5 5 6 ms admin MikroTik ip route gt Or alternatively to go back to the base level you could use the twice admin MikroTik ip route gt ping 10 0 0 10 10 0 0 10 64 byte pong tt1 128 time 8 ms 10 0 0 10 64 byte pong tt1 128 time 6 ms 2 packets transmitted 2 packets received 0 packet loss round trip min avg max 6 7 0 8 ms admin MikroTik ip route gt Lists Many of the command levels operate with arrays of items interfaces routes users etc Such arrays are displayed in similarly looking lists All items in the list have an item number followed by its paramet
510. ription e Serial Terminal Usage e Serial Terminal Examples Installation The Serial Terminal feature is included in the system package No installation is needed for this feature Hardware Resource Usage There is no significant resource usage Serial Terminal Description All keyboard input is forwarded to the serial port and all data from the port is output to the connected device After exiting with Ctrl Q the control signals of the port are lowered It is not possible to send CtrlI Q key to serial port as it is intercepted and the serial terminal is closed The speed and other parameters of serial port may be configured in the port directory of router console No terminal translation on printed data is performed It is possible to get the terminal in an unusable state by outputting sequences of inappropriate control characters or random data Do not connect to devices at an incorrect speed and avoid dumping binary data Serial Terminal Usage The serial terminal is invoked with one argument the name of serial port admin MikroTik system gt serial terminal port serial0 Type Ctrl Q to return to console MikroTik RouterOS V2 6 Reference Manual 383 Serial Terminal Serial Terminal Examples Several customers have described situations where the serial terminal feature would be useful One situation is described as a mountaintop where a MikroTik wireless installation sits next to equipment that also includes sw
511. riptions of settings name Interface name for reference mtu Maximum Transmit Unit Should be the default 1500 bytes arp Address Resolution Protocol one of the disabled the interface will not use ARP protocol enabled the interface will use ARP protocol proxy arp the interface will be an ARP proxy see corresponding manual reply only the interface will only reply to the requests originated to its own IP addresses but neighbour MAC addresses will be gathered from ip arp statically set table only tunnel id Should be a number that is not being used for an another EoIP tunnel remote address The IP address of the other side of the EoIP tunnel must be a MikroTik router You can assign an IP address to the EoIP interface The router at the other end should have the same tunnel id value and should have the remote address set to MikroTik There is no authentication or state for this interface The bandwidth usage of the interface may be monitored with the monitor feature from the interface menu MikroTik RouterOS V2 6 Reference Manual 105 Ethernet over IP EolP Tunnel Interface EolP Application Example Let us assume we want to bridge two networks Office LAN and Remote LAN The networks are connected to an IP network through the routers Our_GW and Remote The IP network can be a private intranet or the Internet Both routers can communicate with each oth
512. rithm des replay 4 state mature auth key 5697ee9fe98867005ac057elb62a6c3b enc key 7b992840ea30b180 add lifetime 24m 30m use lifetime 0s 0s lifebytes 0 0 current addtime nov 26 2002 09 33 47 current usetime no0v 26 2002 09 33 53 current bytes 896 1 E spi A472A105 direction in src address 10 0 0 81 dst address 10 0 0 204 auth algorithm md5 enc algorithm des replay 4 state mature auth key 0655b51846308f68ce964d90b5580cd enc key a3623a16f6bef13d add lifetime 24m 30m use lifetime 0s 0s lifebytes 0 0 current addtime nov 26 2002 09 33 47 current usetime n0v 26 2002 09 33 53 current bytes 0 MikroTik RouterOS V2 6 Reference Manual 274 IPsec On SonicWall side you can view logs and connection statistics by right clicking SonicWALL tray icon and choosing apropriate options Clear Freeze Save Log Print Close 09 33 42 402 09 33 42 503 My Connections my connection 09 33 42 503 My Connectionsimy connection 09 33 42 523 My Connections my connection 09 33 42 583 My Connectionsimy connection 09 33 42 793 My Connectionsimy connection 09 33 42 823 My Connections my connection 09 33 43 033 My Connectionsimy connection 09 33 43 033 My Connectionsimy connection 09 33 43 033 MY COOKIE 1 00058 6a b4 ff Initiating IKE Phase 1 IP ADDR 10 0 0 204 SENDING gt gt gt gt ISAKMP OAK MM 54 VID RECEIVED lt lt lt ISAKMP OAK MM 54 VID SENDING gt gt gt gt ISAKMP OAK MM KE NON
513. rk Setting the Basic OSPF Argument Values To view the argument settings for OSPF use the routing ospf print command for example admin MikroTik routing ospf gt OSPF is a shortest path first or link state protocol OSPF is an interior gateway protocol that distributes routing information between routers in a single autonomous system OSPF is described in RFC1583 interface OSPF interface settings network OSPF networks area OSPF areas neighbor virtual link OSPF virtual links print Show OSPF settings get get value of property set Change OSPF settings export Export OSPF settings admin MikroTik routing ospf gt print router id 0 0 0 0 distribute default never redistribute connected no redistribute static no redistribute rip no redistribute bgp no metric default 1 metric connected 20 metric static 20 metric rip 20 metric bgp 20 MikroTik RouterOS V2 6 Reference Manual 334 Open Shortest Path First OSPF Routing Protocol admin MikroTik routing ospf gt admin MikroTik routing ospf gt set redistribute static as type 2 redistribute connected as type 1 Argument description router id the Router ID If not specified default 0 0 0 0 OSPF uses the largest IP address configured on the interfaces as its router ID redistribute connected if set the router will redistribute the information about all connected routes i e routes to networks that can be directly reac
514. roTik gt Assume you want to limit the bandwidth to 128kbps on downloads and 64kbps on uploads for all hosts on the LAN Bandwidth limitation is done by applying queues for outgoing interfaces regarding the traffic flow It is enough to add two queues at the MikroTik router admin MikroTik queue simple gt add name Down interface Local limit at 128000 admin MikroTik queue simple gt add name UP interface Public limit at 64000 admin MikroTik queue simple gt print Flags X disabled I invalid 0 name Down src address 0 0 0 0 0 dst address 0 0 0 0 0 interface Local limit at 128000 queue default priority 8 bounded yes 1 name UP src address 0 0 0 0 0 dst address 0 0 0 0 0 interface Public limit at 64000 queue default priority 8 bounded yes MikroTik RouterOS V2 6 Reference Manual 328 Queues and Bandwidth Management admin MikroTik queue simple gt tree print Flags X disabled I invalid D dynamic O D name Down parent Local flow limit at 128000 max burst 20 queue default priority 8 weight 1 allot 1514 bounded yes 1 D name UP parent Public flow limit at 64000 max burst 20 queue default priority 8 weight 1 allot 1514 bounded yes admin MikroTik queue simple gt Leave all other parameters as set by default The limit is approximately 128kbps going to the LAN and 64kbps leaving the client s LAN Please note that the queues have been added for the outgoing interfaces regarding the traffic flow To
515. roTik interface vlan gt If the interfaces were successefully created both of them will be running If computers are connected incorrectly through network device that does not retransmit or forward VLAN packets either both or one of the interfaces will not be running When the interface is running IP addresses can be assigned to the VLAN interfaces On the Router 1 admin MikroTik ip address gt add address 10 10 10 1 24 interface test admin MikroTik ip address gt print Flags X disabled I invalid D dynamic ADDRESS NETWORK BROADCAST INTERFACE 0 10 0 0 204 24 10 0 0 0 10 0 0 255 etherl 1 10 20 0 1 24 1020 00 102070255 pel 2 10 10 10 1 24 10 10 10 0 10410104255 test admin MikroTik ip address gt On the Router 2 admin MikroTik ip address gt add address 10 10 10 2 24 interface test admin MikroTik ip address gt print Flags X disabled I invalid D dynamic ADDRESS NETWORK BROADCAST INTERFACE 0 10 0 0 201 24 10 0 0 0 10 0 0 255 etherl 1 10 10 10 2 24 10 10 10 0 10 10 10 255 test admin MikroTik ip address gt If it set up correctly then it is possible to ping Router 2 from Router 1 and vice versa admin 10 10 1 101 0 2 10 10 1 10 10 1 4 packe round t admin 10 10 1 10 10 1 10 10 1 10 10 1 4 packe round t ikroTik 0 0 0 0 ts transmitted rip min avg max ikroTik ts transmitted rip min avg max 4 0 2 64 byte
516. roTik RouterOS V2 6 Reference Manual 280 IP Telephony A voice call can be terminated using the clear call command not available for VoIP voice ports If the voiceport has an active connection the command clear call voiceport terminates it The command is useful in cases when the termination of connection has not been detected by one of the parties and there is an infinite call It can also be used to terminate someone s call if it is using up the line required for another call Voice Port for Telephony cards All commands relating the Quicknet Voicetronix and Zaptel Wildcard cards are listed under the ip telephony voice port submenus For example admin MikroTik ip telephony voice port linejack gt print Flags X disabled 0 name linejack1 autodial region us playback volume 0 record volume 0 ring cadence agc on playback no agc on record no aec yes aec tail length short aec nlp threshold low aec attenuation scaling 4 aec attenuation boost 0 software aec no detect cpt yes admin MikroTik ip telephony voice port linejack gt Argument descriptions name name given by the user or the default one type only for phonejack type of the card phonejack phonejack lite or phonejack pci cannot be changed autodial phone number which will be dialed immediately after the handset has been lifted If this number is incomplete then the remaining part has to be dialed on the dial
517. ronous feature e The synchronous link does not work Check the V 35 cabling and the line between the modems Read the modem manual Synchronous Link Applications Two possible synchronous line configurations are discussed in the following examples e MikroTik Router to MikroTik Router e MikroTik Router to CISCO Router MikroTik RouterOS V2 6 Reference Manual 133 MOXA C101 Synchronous Interface MikroTik Router to MikroTik Router Let us consider the following network setup with two MikroTik Routers connected to a leased line with baseband modems Internet interface Public address 10 1 1 12 24 interface moxa address 1 1 1 2 32 Baseband Modem MikroTik V3 interface wan address 1 1 1 1 32 interface ether address 10 0 0 254 24 interface ether 1 address 192 168 0 254 24 LAN 192 168 0 0 24 LAN 10 0 0 0 24 The driver for MOXA C101 card should be loaded and the interface should be enabled according to the instructions given above The IP addresses assigned to the synchronous interface should be as follows admin MikroTik ip address gt add address 1 1 1 1 32 interface wan Nit network 1 1 1 2 broadcast 255 255 255 255 admineMikroTik ip address gt print Flags X disabled I invalid D dynamic 0 2 ADDRESS NETWORK BROADCAST INTERFACE 10 0 0 254 24 10 0 0 254 100052559 ether2 192 168 0 254 24 192 168 0 254 192 168 0 255 etherl 1 1 1 1 32 MZ 2592992992
518. router More than one redirect rule can be added to redirect more than one port Note only HTTP traffic is supported by web proxy transparent mode HTTPS and FTP are not going to work this way Setup Example For web proxy setup do the following e Specify at least one dns server for the router ip dns set primary dns 159 148 60 2 e Set IP address and port on which proxy will listen for requests ip web proxy set address 0 0 0 0 8080 e If this proxy has to use another proxy specify it ip web proxy set parent proxy 192 168 1 1 8080 otherwise disable it ip web proxy set parent proxy 0 0 0 0 0 e Specify cache administrator s e mail address ip web proxy set cache administrator support mt lv e Specify hostname DNS or IP address of the web proxy ip web proxy set hostname proxy mt lv e Enable the proxy service ip web proxy set enabled yes Now it is possible to use this proxy by setting it as proxy for IE Netscape Opera etc Troubleshooting e Can I use transparent proxy feature on a MikroTik router with bridged interfaces No Transparent proxy requires redirection of IP packets by firewall destination NAT NAT is not involved when packets are passed from one bridged interface to another But packets have to be translated by firewall destination NAT for transparent web proxy to work So web proxy is not going to work in transparent mode between bridge interfaces e When I turned on t
519. roxy is stopped cache files are being removed creating cache proxy is stopped cache directory structure is being created dns missing proxy is enabled but not running because of unknown DNS server you should specify it under ip dns invalid address proxy is enabled but not running because of invalid address you should change address or port invalid cache administrator proxy is enabled but not running because of invalid cache administrator s e mail address invalid hostname proxy is enabled but not running because of invalid hostname you should set a valid hostname value 4 error logged proxy is not running because of unknown error This error is logged as System Error Please send us this error and some description how it happened reserver for cache maximal cache size that is accessible to web proxy fete Oe Oo o Access logs are sent to Web Proxy Access logging facility These logs can be disabled logged locally or sent to remote address To log locally system logging facility set Web Proxy Access logging local In this case logs can be viewed using log print command Some more statistics details can be monitored with ip web proxy monitor command admin MikroTik gt ip web proxy monitor status running uptime 4d19h8m14s clients 9 requests 10242 hits 3839 cache size 328672 kB received from servers 58108 kB sent to clients 65454 kB hits sent to
520. rs will first be checked against the local database and then only against the RADIUS server Be careful not to have the same P2P user on the local database and the RADIUS server the authentication will finish at the local database in this case Contents of the Manual The following topics are covered in this manual e Installation e Hardware Resource Usage e Local Authentication Overview e Local Authentication Management of P2P Users PPP Profile PPP Secret e Active Users e Local Accounting of PPP Users e Authentication using RADIUS Server 4 RADIUS Overview RADIUS Client Setup 4 RADIUS Client Monitor 4 RADIUS Parameters 0 Authentication data sent to server Access Request 0 Data received from server Access Accept 0 Accounting information sent to server Accounting Request RADIUS Servers Suggested e PPPoE Bandwidth Setting e PPP Troubleshooting e RADIUS Server Configuration Example Installation The ppp 2 6 x npk package is required The package can be downloaded from MikroTik s web page www mikrotik com To install the package please upload them to the router with ftp and reboot You may check to see if the PPP package is installed with the command The RADIUS client and RADIUS accounting features are included in the PPP package MikroTik RouterOS V2 6 Reference Manual 146 General Point to Point Settings Hardware Resource Usage There is no significant resource usage Local Authentication Overv
521. rt PP tp rv r Serv interfac enabled no mtu 1460 mru 1460 PP mschap2 default tp rv r gt ES print interfac pptp rv rfac yes 1460 1460 int enabled mtu mru pptp mschap2 default rv interfac Descriptions of settings pptp rv r gt ES r gt set print nabled yes enabled defines whether PPTP server is enabled or not mtu Maximum Transmit Unit The optimal value is the MTU of the interface the tunnel is working over decreased by 40 so for 1500 byte ethernet link set the MTU to 1460 to avoid fragmentation of packets mru Maximum Receive Unit The optimal value is the MTU of the interface the tunnel is working over decreased by 40 so for 1500 byte ethernet link set the MTU to 1460 to avoid fragmentation of packets authentication authentication algorithm One or more from mschap2 chap pap default profile default profile to use Please consult General Point to Point Settings manual on authorization filtering and accounting settings There are two types of items in PPTP server configuration static users and dynamic connections A dynamic connection can be established when the default profile parameter is set to the profile which have 1ts local address and remote address set correctly When static users are added the default profile may be left with its default values and only P2P user in ppp secret
522. ructions below When asked for the Host name or IP address of the VPN server type the IP address of the router Double click on the new icon and type the correct user name and password must also be in the user database on the router or RADIUS server used for authentication The setup of the connections takes nine seconds after selection the connect button It is suggested that the connection properties be edited so that NetBEUI IPX SPX compatible and Log on to network are unselected The setup time for the connection will then be two seconds after the connect button is selected MikroTik RouterOS V2 6 Reference Manual 172 Point to Point Tunnel Protocol PPTP To install the Virtual Private Networking support for Windows 98se go to the Setting menu from the main Start menu Select Control Panel select Add Remove Program select the Windows setup tab select the Communications software for installation and Details Go to the bottom of the list of software and select Virtual Private Networking to be installed Troubleshooting use firewall and I cannot establish PPTP connection Make sure the TCP connections to port 1723 can pass through both directions between your sites Also IP protocol 47 should be passed through Additional Resources Links for PPTP documentation http msdn microsoft com library backernd html understanding_pptp htm http support microsoft com support kb articles
523. ry charge 100 battery voltage 13 line voltage 221 output voltage 221 MikroTik RouterOS V2 6 Reference Manual 398 UPS Monitor load 57 fequency 50 admin MikroTik system ups gt When running on battery admin MikroTik system ups gt monitor on line no on battery yes transfer cause utility voltage notch or spike detected run time left 9m battery charge 95 battery voltage 11 line voltage 0 output voltage 233 load 66 fequency 50 admin MikroTik system ups gt Additional Resources http www linuxdoc org HOWTO UPS HOWTO html http www sibbald com apcupsd manual upsbible html O Copyright 1999 2003 MikroTik MikroTik RouterOS V2 6 Reference Manual 399 Users and Groups Document revision 19 Nov 2002 This document applies to the MikroTik RouterOS v2 6 Overview MikroTik RouterOS has a local user database Permissions and user rights are granted to groups Users belong to groups and receive all the permissions and user rights assigned to that group Contents of the Manual The following topics are covered in this manual e User Management e User Groups User Management User management can be accessed under the user menu admin MikroTik user gt print Flags X disabled 0 55 system default user name admin group full address 0 0 0 0 0 fadmin MikroTik user gt Use the add command to add a user to the user database admineMikroTik user gt add creates new it
524. rypt policy with level require that doesn t have all SAs out encrypt how many outgoing packets were encrypted successfully in accept how many incoming packets were matched by accept policy in accept isakmp how many incoming UDP packets on port 500 were let through without policy matching in drop how many incoming packets matched drop policy or encrypt policy with level require that didn t have all SAs in decrypted how many incoming packets were successfully decrypted in drop encrypted expected how many incoming packets were matched by encrypt policy and dropped because they were not encrypted Application examples IPsec setup between two RourerOS routers 1 0 0 0 24 10 1 0 0 24 10 2 0 0 24 Minimal config example for transport mode ESP with automatic keying on Router 1 ip ipsec policy add sa src 1P 1 0 0 1 sa dst 1 0 0 2 action encrypt ip ipsec peer add address 1 0 0 2 ip ipsec pre shared secret add address 1 0 0 2 secret roberkenon And for Router 2 ip ipsec policy add sa src 1P 1 0 0 2 sa dst 1 0 0 1 action encrypt ip ipsec peer add address 1 0 0 1 ip ipsec pre shared secret add address 1 0 0 1 secret roberkenon MikroTik RouterOS V2 6 Reference Manual 265 IPsec Minimal config example for tunnel mode AH with manual keying on Router 1 ip ipsec key add key algorithm shal length 160 key 0000000000000000000000000000000000000000 ip ipsec manual sa ad
525. s connected yes routing bgp gt print enabled yes as 65002 router id 159 148 147 206 redistribute static no redistribute connected yes redistribute rip no redistribute ospf no state running routing bgp gt fadmin MikroTik Argument description enabled enable or disable the BGP as autonomous system number router id the Router ID redistribute connected if set to yes then the router will redistribute the information about all connected routes i e routes to networks that can be directly reached from the router redistribute static if set to yes then the router will redistribute the information about all static routes added to its routing database i e routes that have been created using the ip route add command of the router redistribute rip if set to yes then the router will redistribute the information about all routes learned by the RIP protocol 361 Border Gateway Protocol BGP Routing Protocol state status of the BGP disabled not working has been disabled running working Usually you want to redistribute connected and static routes if any Therefore change the settings for these arguments and proceed to the BGP networks BGP Network To tell the BGP router which networks to advertise use the routing bgp network add command admin MikroTik routing bgp network gt add network 159 148 150 192 27 admin MikroTik routing bgp network gt
526. s client monitor commands 2 examine RADIUS server log files Copyright 1999 2002 MikroTik MikroTik RouterOS V2 6 Reference Manual 154 Point to Point Protocol PPP and Asynchronous Interfaces Document revision 29 Nov 2002 This document applies to the MikroTik RouterOS V2 6 Overview PPP or Point to Point Protocol provides a method for transmitting datagrams over serial point to point links The com1 and com2 ports from standard PC hardware configurations will appear as serial0 and seriall automatically You can add more serial ports to use the router for a modem pool using these adapters e MOXA http www moxa com Smartio C104H 4 port PCI multiport asynchronous board with maximum of 16 ports 4 cards e MOXA http www moxa com Smartio C168H 8 port PCI multiport asynchronous board with maximum of 32 ports 4 cards e Cyclades http www cyclades com Cyclom Y Series PCI multiport asynchronous serial cards e Cyclades http www cyclades com Cyclades Z Series PCI multiport asynchronous serial cards e TCL http www thetcl com DataBooster 4 or 8 port High Speed Buffered PCI Communication Controllers General PPP settings that are used for PPP PPTP and PPPoE connections are described in_General Point to Point Setting manual Contents of the Manual The following topics are covered in this manual e Installation e Hardware Resource Usage e Serial Port Configuration e PPP S
527. s X disabled I invalid D dynamic J rejected MikroTik RouterOS V2 6 Reference Manual 344 Open Shortest Path First OSPF Routing Protocol Cc connect S static R rip O ospf B bgp DST ADDRESS G GATEWAY DISTANCE INTERFACE 0 DO 0 0 0 0 0 r 10 2 0 2 110 main 1 DO 192 168 0 0 24 r 10 3 0 1 110 to peerl 2 DC 10 2 0 0 24 r 0 0 0 0 0 main 3 DC 10 3 0 0 24 t 0 0070 0 to peerl 4 DO 10 1 0 0 24 1 02 02 110 main 5 DO 10 0 0 0 24 r 10 2 0 2 110 main admin OSPF peer 2 gt Functioning of the Backup If the link between routers OSPF Main and OSPF peer 1 goes down we have the following situation Internet OSPF Main peer 70 202 main 10 201 peer 10 1 0 2 gosig OSPF peer 2 main_link 10 1 0 1 backup 10 3 0 1 OSPF peer 1 local 192 168 0 1 LAN 192 168 0 0 24 The OSPF routing changes as follows On the main OSPF router admin OSPF Main gt ip route print Flags X disabled I invalid D dynamic J rejected G connect S static R rip O ospf B bgp DST ADDRESS G GATEWAY DISTANCE INTERFACE O S 0 0 0 0 0 r 10 0 0 1 1 main_gw 1 DO 192 168 0 0 24 r 10 2 0 1 110 peer2 2 DC 10 2 0 0 24 r 0 0 0 0 0 peer2 3 DO 10 3 0 0 24 E 10 2 0 1 110 peer2 4 DC 10 1 0 0 24 r 0 0 0 0 0 peerl 5 DC 10 0 0 0 24 r 0 0 0 0 0 main_gw admin OSPF Main gt On the Peer 1 admin OSPF peer 1 gt ip route print Flags X dis
528. s 08 00 46 04 33 17 interface Local MikroTik ip arp gt print Flags X disabled I invalid D dynamic ADDRESS MAC ADDRESS INTERFACE 0 D 10 1 1 254 00 80 C8 C9 B0 45 Public 1 10 5 8 214 08 00 46 04 33 17 Local 2D 10 5 9 202 00 00 E8 69 65 5F sales 3D 10 5 9 204 00 00 E8 69 69 9F sales MikroTik ip arp gt If arp feature is turned off on interface i e arp disabled is used ARP requests from clients are not answered by the router Therefore static arp entry should be added to the clients as well For example the router s IP and MAC addresses should be added to the windows workstations using the arp command for example C gt arp s 10 5 8 254 00 aa 00 62 c6 09 See the relevant documentation on how to manage static arp entries on your system Using the Proxy ARP Feature All physical interfaces like Ethernet Prism Aironet PC WaveLAN etc can be set for using the Address Resolution Protocol or not By default the arp feature is enabled However it can be changed to proxy arp The Proxy ARP feature means that the router will be listening to arp requests received at the relevant interface and respond to them with it s own MAC address if the requests matches any other IP address of the router For example you can assign IP addresses to dial in ppp pppoe pptp clients from the same address space as used on the connected LAN of you enable the proxy arp on the LAN interfa
529. s an IP network H 323v4 includes H 245 H 225 Q 931 H 450 1 RTP real time protocol e CODECs The following audio CODECS are supported G 711 the 64 kbps Pulse code modulation PCM voice coding technique The encoded voice is already in the correct format for digital voice delivery in the PSTN or through PBXs G 723 1 the 6 3 kbps compression technique that can be used for compressing audio signal at very low bit rate GSM 06 10 the 13 2 kbps coding LPC 10 the 2 5 kbps coding G 729 G 729a the 8 kbps CS ACELP software coding G 728 16 kbps coding technique supported only on Quicknet LineJACK cards e RFCs Compliant to the RFC1889 RTP http www etf org rfc rfc 1889 txt 7mumber 1889 e Regional Standards Quicknet cards are approved in United States United Kingdom France Germany Australia Japan Voicetronix OpenLine4 is approved in Australia Europe New Zealand and USA FCC Implementation Options e IP Telephony Gateway When connected to a PBX or PSTN telephone line the MikroTik router can act as a gateway between the telephone network and the VoIP network e IP Telephone System When connecting an analog telephone the MikroTik router acts as an IP Telephone The MikroTik IP Telephones and IP Telephony Gateways are interoperable with the following H 323 terminals e Microsoft Netmeeting e Siemens IP phone HiNet LP 5100 e Cisco ATA 186 e Welltech LAN Phone 101 e Most H 323 compatible devices
530. s are given out by hotspot dhcp configuration For hotspot client accounting hotspot will add dynamic firewall rules in firewall hotspot chain This chain has to be created manually And all network packets to from hotspot clients have to pass this chain Setup Example Follow the steps below 1 Your ether1 interface is configured with IP address 10 5 6 5 24 and the default route points to gateway 10 5 6 1 2 Your prism1 interface is configured for AP mode and can register IEEE 802 11b wireless clients See the Prism Interface Manual for more details ARP should be set to reply only on prism interface so no dynamic entries are added to the ARP table DHCP server will add entries only for clients which have obtained DHCP leases W interface prism set prisml arp reply only 4 Add two IP addresses to prism1 interface ip address add address 192 168 0 1 24 interface prisml ip address add address 10 5 50 1 24 interface prisml 5 add 2 IP pools ip pool add name temp ranges 192 168 0 2 192 168 0 254 ip pool add name hspot ranges 10 5 50 2 10 5 50 254 add masquerading rule for temporary IP pool which is not routed nN ip firewall src nat add src address 192 168 0 0 24 action masquerade Make sure you have routing for authenticated address space Try to ping 10 5 50 1 from your internet gateway 10 5 6 1 for example See the Basic Setup Guide on how to set up routing 7 Add dhcp server for temporary IP addresses
531. s for print set The set command allows you to change values of general parameters or item parameters The set command has arguments with names corresponding to values you can change Use or double TAB to see list of all arguments If there is list of items in this command level then set has one unnamed argument that accepts the number of item or list of numbers you wish to set up set does not return anything remove The remove command has one unnamed argument which contains number s of item s to remove add The add command usually has the same arguments as set minus the unnamed number argument It adds new item with values you ve specified usually to the end of list in places where order is relevant There are some values that you have to supply like interface for new route and other values that are set to defaults if you don t supply them The add command returns internal number of item it has added You can create a copy of an existing item by using copy from argument It takes default values of new item s properties from another item If you don t want exact copy you can specify new values for some properties When copying items that have names you will usually have to give new name to a copy You can place a new item before an existing item by using place before argument Thus you do not need to use the move command after adding an item to the list You can control disabled enabled state of new items by using disable
532. s gt Property Description enabled yes no default no status of the monitoring is disabled by default port name s communication port of the router off line time time default 5m how long to work on batteries The router waits that amount of time and then goes into hibernate mode until the UPS reports that the utility power is back e the router will go into hibernate mode according the min run time setting and 10 of battery power event In this case the router will wait until the UPS reports that the battery power is below 10 min run time time default 5m minimal run time remaining After a utility failure the router will monitor the run time left value When the value reaches the min run time value the router will go to hibernate mode e the router will go to hibernate mode when the battery low signal is sent indicating that the battery power is below 10 alarm setting delayed immediate low battery none default immediate UPS sound alarm setting e delayed alarm is delayed to the on battery event e immediate alarm immediately after the on battery event e low battery alarm only when the battery is low e none do not alarm rtc alarm setting delayed immediate low battery none default none UPS sound alarm setting during run time calibration e delayed alarm is delayed to the on battery event e immediate
533. s is called modp1024 in RouterOS Configure phase 2 settings MikroTik RouterOS V2 6 Reference Manual 273 IPsec AS Security Policy Editor SonicWALL PN Client File Edit Options Help alixa 14 Network Security Policy E My Connections r IPSec Protocols EdE my connection Seconds KBytes 3 My Identity SA Life Seconds y freno ak Security Policy B E Authentication Phase 1 Compression None z 7 Proposal 1 7 El 5 Key Exchange Phase 2 IV Encapsulation Protocol ESP EE Propos Encrypt Alg DES 7 Q Other Connections Hash Alg MoS y Sonik WALL VPN Client Encapsulation Tune y I Authentication Protocol 4H Hash Aig SHAA Encapsulation Tunnel in IPSec Protocols box SA Life select Seconds enter 1800 in Seconds field Compression select None check Encapsulation Protocol ESP Encrypt Alg select DES Hash Alg select MD5 Encapsulation select Tunnel clear Authentication Protocol AH click Save on the toolbar Testing Try accessing some host on 1 1 1 0 24 network from 10 0 0 81 box After some time IPSec tunnel will be established and data will start to pass through On RouterOS side you can see the statistics for established SAs admin xxx ip ipsec installed sa gt print Flags A AH E ESP P pfs M manual 0 E spi 3C3C7A8D direction out src address 10 0 0 204 dst address 10 0 0 81 auth algorithm md5 enc algo
534. s policy tried to decrypt but discarded for any reason See global counters for more specific conditions Peer Peer configuration settings are used to establish connections between IKE daemons phase 1 configuration This connection then will be used to negotiate keys and algorithms for SAs These parameters won t affect the established SAs in any way To define new peer configuration use ip ipsec peer add command admin MikroTik ip ipsec peer gt add address 10 0 0 201 admin MikroTik ip ipsec peer gt print Flags X disabled 0 address 10 0 0 201 500 exchange mode main send initial contact yes proposal check strict hash algorithm md5 enc algorithm 3des dh group modp1024 admin MikroTik ip ipsec peer gt MikroTik RouterOS V2 6 Reference Manual 260 IPsec Argument description address address of the remote peer dh group Diffie Hellman DH key exchange protocol allows two parties without any initial shared secret to create one This value defines cipher strength Allowed values modp768 modp1024 modp1536 modp2048 modp3072 modp4096 modp8192 First three 768 1024 and 1536 are standard others might be incompatible with similarly named groups in other implementations enc algorithm Encryption algorithm Valid algorithms are des 3des aes 128 aes 192 and aes 256 in strength and computation time increasing order exchange mode Valid values are main aggressive or base See RFC 2408 for
535. s the rules of the selected chain IP Firewall Common Arguments The common arguments used in the firewall rules are action Action to undertake if the packet matches the rule see below The choice of the available action is different for firewall filter mangle and NAT rules mark flow MANGLE only Flow mark string dst address Destination IP address Can be in the form address mask ports where mask 1s number of bits in the subnet and ports is one port or range of ports e g X X Xx x 32 80 81 dst netmask Destination netmask in decimal form x x x x dst port Destination port number or range 0 65535 0 means all ports 1 65535 icmp options any any ICMP options out interface interface the packet is leaving the router If the default value all is used it may include the local loopback interface for packets with destination to the router limit burst allowed burst regarding the limit count limit time limit count how many times to use the rule during the limit time period limit time time interval used in limit count protocol Protocol all egp ggp icmp igmp ip encap ip sec tcp udp all cannot be used if you want to specify ports src address Source IP address Can be in the form address mask ports where mask is number of bits in the subnet and ports is one port or range of ports e g X x x x 32 80 81 src mac address host s MAC add
536. s updates and that it is properly configured Dynamic DNS Update tool can be accessed with the tool dns update command admin MikroTik tool gt dns update address dns server key key name name EGP zone admin MikroTik tool gt dns update Descriptions of arguments MikroTik RouterOS V2 6 Reference Manual 406 Dynamic DNS DDNS Update Tool address defines IP address associated with the domain name dns server DNS server to send update to key authorization key password of a kind to access the server key name authorization key name username of a kind to access the server name name to attach with the IP address ttl time to live for the item in seconds zone DNS zone where to update the domain name in Dynamic DNS Update Example admin MikroTik tool gt dns update address 12 23 34 45 dns server 23 34 45 56 name mydomain zone myzone com tt1 3600 key name dns update key key sviests Additional Resources Links to Dynamic DNS Update documentation http www zoneedit com doc rfc http www fags org rfes rfc2136 html O Copyright 1999 2002 MikroTik MikroTik RouterOS V2 6 Reference Manual 407 ICMP Bandwidth Test Document revision 19 Nov 2002 This document applies to MikroTik RouterOS v2 6 Overview The ICMP Bandwidth Tester Ping Speed can be used to approximately evaluate algorithm is not very precise the throughput to any remote computer
537. sabled R running O R name cyclades1 mtu 1500 line protocol frame relay media type V35 clock rate 64000 clock source external line code B8ZS framing mode ESF line build out 0dB rx sensitivity short haul frame relay lmi type ansi frame relay dce no chdlc keepalive 10s admin MikroTik interface cyclades gt PVC admin MikroTik interface pvc gt print Flags X disabled R running NAME MTU DLCI INTERFACE O R pvcl 1500 42 cycladesl admin MikroTik interface pvc gt CISCO router setup CISCO show running config MikroTik RouterOS V2 6 Reference Manual 115 FrameRelay PVC Interfaces Building configuration Current configuration ip subnet zero no ip domain lookup frame relay switching j interface Ethernet0 description connected to EthernetLAN ip address 10 0 0 254 255 255 255 0 f interface Serialo description connected to Internet no ip address encapsulation frame relay IETF serial restart delay 1 frame relay lmi type ansi frame relay intf type dce 1 interface Serial0 1 point to point ip address 1 1 1 2 255 255 255 0 no arp frame relay frame relay interface dlci 42 end Send ping to MikroTik router CISCO ping 1 1 1 1 Typ scape sequence to abort Sending 5 100 byte ICMP Echos to 1 1 1 1 timeout is 2 seconds Success rate is 100 percent 5 5 round trip min avg max 28 31 32 ms CISCO Frame Relay Configur
538. scheduler disable x admin MikroTik system script gt add name log x source log message x admin MikroTik system script gt scheduler admin MikroTik system scheduler gt add name x up start time 00 00 00 interval 24h script enable x admin MikroTik system scheduler gt add name x down start time 12 00 00 interval 24h script disable x admin MikroTik system scheduler gt add name x start time 00 00 00 interval 1h script log x admin MikroTik system scheduler gt print Flags X disabled NAME SCRIPT START DATE START TIME INTERVAL RUN COUNT 0 x up enable x oct 30 2008 00 00 00 ld 0 1 x down disab oct 30 2008 12 00 00 ld 0 2 x log x oct 30 2008 00 00 00 1h 0 admin MikroTik system scheduler gt Copyright 1999 2002 MikroTik MikroTik RouterOS V2 6 Reference Manual 392 Telnet Client Document revision 12 Aug 2002 This document applies to the MikroTik RouterOS v2 6 Overview MikroTik RouterOS has a build in Telnet Client It is used to communicate with other systems over a network Contents of the Manual The following topics are covered in this manual e Installation e Hardware Resource Usage e Telnet Client Description e Telnet Client Examples Installation The Telnet client feature is included in the system package No installation is needed for this feature Hardware Resource Usage There is no significant resource usage Telnet Client Description admin MikroTik syst
539. sco show running config interface Ethernet0O ip address 10 0 0 26 255 255 255 0 no ip directed broadcast interface Seriall ip address 192 168 1 1 255 255 255 252 ip directed broadcast 1 router rip version 2 redistribute connected redistribute static network 10 0 0 0 MikroTik RouterOS V2 6 Reference Manual 358 network 192 168 1 0 ip cl assless Routing Information Protocol RIP The routing table of the Cisco router is Cisco show ip route Codes Gateway of last resort is R R R Cisco E connected S static I IGRP R RIP M mobile B BGP D EIGRP EX 10 0 0 0 24 is 10 0 0 0 is 192 168 0 0 24 192 168 1 0 30 192 168 1 0 192 168 3 0 24 Y IS IS LL U per user static route o ODR EIGRP external O OSPF IA OSPF inter area 1 OSPF NSSA external type 1 N2 OSPF NSSA external type 2 El OSPF external type 1 E2 OSPF external type 2 E EGP IS IS level 1 L2 IS IS level 2 candidate default 192 168 1 2 to network 0 0 0 0 subnetted 1 subnets direct 120 1 ly connected Ethernet0 via 10 0 0 174 00 00 19 Ethernet0O is subnetted 1 subnets is directly connected Seriall 120 1 0 0 0 0 0 120 1 via via 192 168 1 2 00 00 05 Seriall 192 168 1 2 00 00 05 Seriall As we can see the Cisco router has learned RIP routes both from the MikroTik router 192 168 0 0 2
540. sec policy add src address 10 2 0 0 24 dst address 10 1 0 0 24 action encrypt tunnel yes sa src address 1 0 0 2 sa dst address 1 0 0 1 ip ipsec peer add address 1 0 0 1 exchange mode aggressiv ip ipsec pre shared secret add address 1 0 0 1 secret sviestapika IPsec Setup Between MikroTik and CISCO Routers Baseband Modem Baseband Modem V 35 sync Fe 10 0 1 2 10 0 0 0 24 10 2 0 0 24 Must configure IPsec encryption for traffic between 10 0 0 0 24 and 10 0 2 0 24 subnets Configuring RouterOS Add encryption proposal phase2 proposal settings that will be used to encrypt actual data we will use DES to encrypt data and SHA1 to authenticate admin MikroTik ip ipsec proposal gt add name to_cisco pfs group none algorithms enc des auth shal Add peer with phasel configuration parameters DES and SHA1 will be used to protect IKE traffic admin MikroTik ip ipsec peer gt add address 10 0 1 2 enc algorithm des auth method pre shared key hash algorithm sha dh group modp1024 Add preshared secret to use when talking to Cisco admin MikroTik ip ipsec pre shared secret gt add secret test_key address 10 0 1 2 Add policy rule that matches traffic between subnets and requires encryption with ESP in tunnel mode admin MikroTik ip ipsec policy gt add src address 10 0 0 0 24 MikroTik RouterOS V2 6 Reference Manual 267 IPsec dst address 10 0 2 0 24 protocol all action encrypt ipsec protoco
541. sed as an argument value in other commands In console this is done by returning value from commands Return value is not displayed on the screen When you type such command between square brackets this command is executed and it s return value is used as the value of these brackets This is called command substitution Consider find command admin MikroTik gt interface admin MikroTik interface gt find type ether admineMikroTik interface gt It displays nothing on screen and returns internal numbers of items with matching property values This is how return value looks admin MikroTik interface gt put find type ether A B admineMikroTik interface gt and this is how it can be used in other commands admin MikroTik interface gt enable find type ether admineMikroTik interface gt Besides find some other commands also return useful values ping returns number of successful pings admin MikroTik interface gt put ping 10 0 0 1 count 3 10 0 0 1 64 byte pong ttl 64 time lt 1 ms 10 0 0 1 64 byte pong ttl 64 time lt 1l ms 10 0 0 1 64 byte pong tt1 64 time lt 1l ms 3 packets transmitted 3 packets received 0 packet loss round trip min avg max 0 0 0 0 ms 3 admineMikroTik interface gt MikroTik RouterOS V2 6 Reference Manual 38 Scripting Manual set returns value of it s second argument time returns the measured time value incr and decr return new value of varia
542. sed as username and password e Registration may occur on a different server Client s MAC address may be passed to it so that this information need not be written in manually After the registration the server may change RADIUS database enabling client to log in Servlet Page Description There are 6 HTML pages to interact with hotspot client e login html login page e status html status page for logged in user e logout html after_logged_out page e error html various error messages e redirect html redirecting web browser to another url e alogin html page which is shown after successful login while client gets new IP address from DHCP server for 10 seconds or so Variable Description All of the pages use variables to show user specific values For each variable there is an example included in brackets Common variables available in all pages e hostname IP address for hotspot www access 10 5 50 1 e link_logout link to logout page http 10 5 50 1 logout e link_login link to login page http 10 5 50 1 login dst http www mt lv e link_status link to status page http 10 5 50 1 status e link_orig link to original destination page http www mt lv Page specific variables e redirect html link_redirect page to which redirect has to be done for example http www mt lv e login html 4 mac MAC address 01 02 03 04 05 06 4 error erro
543. ser admin MikroTik ip accounting web access gt print accessible via web yes address 0 0 0 0 0 admin MikroTik gt For security purposes an IP address or IP subnet can be limited to the collection of the web report The above example of address 0 0 0 0 0 allows all IP hosts to access the web reports With the settings address 10 1 0 3 32 only IP host 10 1 0 3 is allowed to access the web reports A simple script can be run with crond and wget to periodically collect traffic data Timestamps can be added to the traffic data file as well as other features MikroTik Download Utilities Page Traffic data analysis There are many tools and systems to analyze traffic data Useful common tools are e Microsoft Excel e Grep Unix Linux utility MikroTik RouterOS V2 6 Reference Manual 301 IP Traffic Accounting e Perl scripts Additional Resources Links for documentation http www gnu org manual wget http www gnu org manual grep 2 4 Copyright 1999 2002 MikroTik MikroTik RouterOS V2 6 Reference Manual 302 IP Packet Packer Protocol M3P Document revision 9 Aug 2002 This document applies to the MikroTik RouterOS v2 6 Overview The MikroTik Packet Packer Protocol M3P optimizes the bandwidth usage of links using protocols that have a high overhead per packet transmitted The basic purpose of this protocol is to better enable wireless networks to transport VoIP traffic and other traf
544. should be dialed and after the dial tone has been received the number 33 should be entered Thus the telephone Joe is ringed After establishing the voice connection with 33 the call has been answered the voice port monitor shows admin voip_gw ip telephony voice port linejack gt monitor linejackl status connection port line direction port to ip line status plugged phone number 33 remote party name linejack1 10 0 0 224 codec G 723 1 6 3k hw duration 1m46s admin voip_gw ip telephony voice port linejack gt e To dial the IP telephone 10 5 8 2 from the office PBX line the extension number 19 should be dialed and after the dial tone has been received the number 31 should be entered Setting up the Welltech IP Telephone Please follow the documentation from http www welltech com tw on how to set up the Welltech LAN Phone 101 Here we give just brief recommendations MikroTik RouterOS V2 6 Reference Manual 294 1 We recommend to upgrade the Welltech LAN Phone 101 with the latest application software Telnet to the phone and check what you have for example usr config rom print IP Telephony Download Method TFTP Server Address 10 5 8 1 Hardware Ver 4 0 Boot Rom nblp boot 102a Application Rom wtlp 108h DSP App 48302ce3 127 DSP Kernel 48302ck 127 DSP Test Code 483cbit bin Ringback Tone wg ringbacktone 100 Hold Tone wg holdtonel0s 100 Ringing Tonel ringlow bin Ri
545. sing requests and generating responses For example for vendor specific attributes of Ascend and Mikrotik the dictionary file should contain lines root server raddb cat dictionary VENDOR Ascend 529 VENDOR Mikrotik 14988 Bandwidth limitation in bits s ATTRIBUTE Ascend Data Rate 197 integer Ascend Traffic limitation in bytes ATTRIBUTE Mikrotik Recv Limit 1 integer Mikrotik ATTRIBUTE Mikrotik Xmit Limit 2 integer Mikrotik root server raddb 4 All users should be listed in the users file for example root server raddb cat users randy Password w fxc Service Type Framed User Framed Protocol PPP Framed IP Address 10 5 13 19 Ascend Data Rat 64000 monica Password bil Service Type Framed User Framed Protocol PPP root server raddb 5 If you have changed RADIUS server settings most probably you have to restart the RADIUS daemon see instructions for it For example you have to issue command on your server root server raddb etc rc d init d radiusd restart Shutting down radiusd OK Starting radiusd OK root server raddb Remember that users included in router s ppp secret list are not authenticated using the RADIUS server MikroTik RouterOS V2 6 Reference Manual 153 General Point to Point Settings To troubleshoot your RADIUS server and client setup 1 use ppp radius client monitor or ip hotspot radiu
546. specific cases when you need to maintain a connection even if something fails For example if someone cuts the wires the router can automatically connect to a different interface to continue its work This backup is based on a utility that monitors the status of the connection netwatch and a script which runs the netwatch ISDN Backup Description This is an example of how to make a router backup system In this example we use a ISDN connection to backup a standard ethernet connection You can of course use anything instead of the ISDN connecion PPP for example When the ethernet fails the router nr 1 cannot ping the router nr 2 to 2 2 2 2 see picture the router establishes a ISDN connection a so called backup link to continue comunicating with the nr 2 MikroTik RouterOS V2 6 Reference Manual 126 ISDN Interface Note that in our case there are just two routers but this system can be also used to connect two or more different networks The backup system example is described in the following diagram DST ADDRESS GATEWAY pe 1 1 1 0 24 10 0 0 12 PSTN ISDN C ed Internet backup 3 3 3 1 8 4 DEFAULT GATEWAY DST ADDRESS GATEWAY DST ADDRESS GATEWAY 1 1 1 2 0 0 0 0 2 2 2 2 0 0 0 0 0 10 0 0 1 1 1 1 0 24 2 2 2 1 In this case the backup interface is a ISDN connection but it can be anything Follow the instructions below on how to set up the backup link Setting up ISDN Connection To use
547. ss 0 0 0 0 0 dst address 192 168 0 17 32 interface Local limit at 0 queue default priority 8 bounded yes 3 name Serv_U src address 192 168 0 17 32 dst address 0 0 0 0 0 interface Public limit at 0 queue default priority 8 bounded yes admin MikroTik queue simple gt move 2 admin MikroTik queue simple gt move 3 0 1 MikroTik RouterOS V2 6 Reference Manual 329 Queues and Bandwidth Management admin MikroTik queue simple gt print Flags X disabled I invalid 0 name Serv_D src address 0 0 0 0 0 dst address 192 168 0 17 32 interface Local limit at 0 queue default priority 8 bounded yes dl name Serv_U src address 192 168 0 17 32 dst address 0 0 0 0 0 interface Public limit at 0 queue default priority 8 bounded yes 2 name Down src address 0 0 0 0 0 dst address 0 0 0 0 0 interface Local limit at 128000 queue default priority 8 bounded yes 3 name UP src address 0 0 0 0 0 dst address 0 0 0 0 0 interface Public limit at 64000 queue default priority 8 bounded yes admin MikroTik queue simple gt Example of Using Masquerading If masquerading is used for the local address space 192 168 0 0 24 of the client computers in the previous example setup then the outgoing traffic has masqueraded source address 10 0 0 217 i e the outgoing packets have external address of the router as the source If you use simple queues as in the previous example the queuing rule for incoming traffic should match the cust
548. sse 303 MikroTik Packet Packer Protocol Setup oooconnoccnnocicnoncconocononcconnccononononnccnnononnn conan cnnnn canon cnn ccnn conan 304 MikroTik Neighbor Discovery Protocol MINDP cscssssscsssscssssscssscsssscessescsssssssccscssscsssssssescesssesscascs 305 ODAS A CAE AE E EEA ES E A EE EEE ET 305 Contents the Marta e a a E att ad 305 A NR 305 Hardware Resource Usage sin liinda 305 MikroTik Discovery Protocol DescriptiOM coooooconoconoonccononononccnnnnnononanannccnno corn conan cnnnnnnnn nc cano ccnnn conan 305 MikroTik Discovery Protocol Setup oooocccnncononcnnnonannonccnnncononnconnnconnnonnnnocnnn no rnn con eiiie 306 MikroTik RouterOS V2 6 Reference Manual xii MikroTik RouterOS V2 6 Reference Manual Table of Contents IP Route Management O 307 A TE A 307 Contents of the Mama e a es Sea a a a a A aT T aaa hae 307 Adding Static Routes 2i 0c s38 Miele ide ee ae GA i Ha a aes 307 Equal Cost Multipath ROUNA irrien E E EE E TRE E EE OE e 308 Policy ROUNE enne DE EEA E A EERE EAT a UE AA E a e a e a a 309 Application Example for Policy RQUtINY cocoonnnnccnnnnccnoncconanononnccnnnocnnnnonnnncnnnnnonnnannn conan cono cccnncn ns 311 Additional RESOULCES A dt STA E 312 Services Protocols and Ports sicsicssscsssssscicssscccccsevsteesavsvecsvescccssesscacesessacesevscacsscsvaderss cadeodscecesescecsessvecaceseceesers 313 OUT A A a ae as EE IE OI EEN RR chi 313 WEB O sovesclseactcessecccesssscccudescoceisev
549. ssed under the ip arp submenu admin MikroTik ip arp gt Address Resolution Protocol is used to map IP address to MAC layer address Router has a table of currently used ARP entries Normally table is built dynamically but to increase network security static entries can be added print Show ARP entries set Change ARP entry properties find Find ARP entries get get value of item s property comment Set comment for ARP entry enable Enable static ARP entry disable Disable static ARP entry add Add static ARP entry remov Remove ARP entry export Export list of ARP entries admin MikroTik ip arp gt To view the list of arp entries use the ip arp print command admin MikroTik ip arp gt print MikroTik RouterOS V2 6 Reference Manual 250 IP Addresses and Address Resolution Protocol ARP Flags X disabled I invalid D dynamic ADDRESS MAC ADDRESS INTERFACE 0D 10 1 1 254 00 80 C8 C9 B0 45 Public 1 D 10 5 8214 08 00 46 04 33 17 Local 2D 10 5 9 202 00 00 E8 69 65 5F sales 3D 10 5 9 204 00 00 E8 69 69 9F sales 4D LOSE C204 00 60 52 0B B4 80 Local admin MikroTik ip arp gt If static arp entries are used for network security on an interface you should set arp to replay only on that interface Do it under the relevant interfaces menu admin MikroTik ip arp gt interfac thernet set Local arp replay only admin MikroTik ip arp gt add address 10 5 8 214 mac addres
550. sses 10 1 0 2 30 and 192 168 0 254 24 assigned to the radiolan and Ethernet interfaces respectively The default route should be set to 10 1 0 1 Copyright 1999 2002 MikroTik MikroTik RouterOS V2 6 Reference Manual 196 Virtual LAN VLAN Interface Document revision 29 Nov 2002 This document applies to the MikroTik RouterOS V2 6 Overview VLAN is an implementation of the 802 1Q VLAN protocol for MikroTik RouterOS 2 6 It allows you to have multiple Virtual LANs on a single ethernet cable giving the ability to segregate LANs efficiently It supports up to 4094 vlan interfaces per ethernet device Many routers including Cisco and Linux based and many Layer 2 switches also support it A VLAN is a logical grouping that allows end users to communicate as if they were physically connected to a single isolated LAN independent of the physical configuration of the network VLAN support adds a new dimension of security and cost savings permitting the sharing of a physical network while logically maintaining separation among unrelated users Contents of the Manual The following topics are covered in this manual e Installation e Hardware Resource Usage e VLAN Interface and Protocol Description e VLAN Setup e VLAN Application Example e Additional Resources e Currently Supported Interfaces Installation The MikroTik Router should have the vlan software package installed The software package file vlan 2 6 x npk can be
551. sses the router and leaves the Local interface destination of the customer s network will be processed against the firewall rules of the customer chain Enforcing the Internet Policy To force the customer s hosts to access the Internet only through the proxy server at 192 168 0 17 we should put following rules in the forward chain ip firewall rule forward gt add protocol icmp out interface comment Allow ICMP ping packets ip firewall rule forward gt add src address 192 168 0 17 32 Public comment Allow outgoing connections form the server at 192 168 ip firewall rule forward gt add action reject out interface comment Reject and log everything else ip firewall rule forward gt print invalid src address 0 0 0 0 0 0 65535 in interface all dst address 0 0 0 0 0 0 65535 out interface Local protocol all any tcp options any connection state any flow src mac address 00 00 00 00 00 00 limit count 0 limit burst 0 limit time 0s action jump jump target customer log no Allow ICMP ping packets src address 0 0 0 0 0 0 65535 in interface all dst address 0 0 0 0 0 0 65535 out interface Public protocol icmp any tcp options any connection state any flow src mac address 00 00 00 00 00 00 limit count 0 limit burst 0 tion accept log no Allow outgoing connections form the server at 192 168 0 17 src address 192 168 0 17 32 0 65535 in interface all admin MikroTik area admin MikroTik Nees admin
552. stallation of the MikroTik RouterOS disregarding how many cards are installed in one PC box The Synchronous Feature is not included in the Free Demo or Basic Software License The Synchronous Feature cannot be obtained for the Free Demo License It can be obtained only together with the Basic Software License System Resource Usage Before installing the synchronous adapter please check the availability of free IRQ s admin MikroTik gt system resource irq print Flags U unused IRQ OWNER 1 keyboard 2 APIC U 3 4 serial port U5 U 6 U 7 U 8 9 etherl U 10 11 ether2 U 42 U 13 14 IDE 1 fadmin MikroTik gt Installing the Synchronous Adapter You can install up to four MOXA C502 synchronous cards in one PC box if you have so many PCI slots available Loading the Driver for the MOXA C502 Synchronous Adapter The MOXA C502 PCI card requires no manual driver loading admin MikroTik gt driver print Flags I invalid D dynamic DRIVER IRQ IO MEMORY ISDN PROTOCOL 0 D Moxa C502 PCI 1 D RealTek 8139 admineMikroTik gt Synchronous Interface Configuration If the driver has been loaded successfully no error messages and you have the required Synchronous Software License then the two synchronous interfaces should appear under the interfaces list with the name moxaN where N is 0 1 2 You can change the interface name to a more descriptive one using the set command To enable the interf
553. sthrough mark flow abc http tcp mss dont chang admin MikroTik ip firewall mangle gt See the Firewall Filters and Network Address Translation NAT Manual for details on how to mark the MikroTik RouterOS V2 6 Reference Manual 326 Queues and Bandwidth Management packets You can add queue using the queue tree add command admin MikroTik queue tree gt add name HTTP parent etherl flow abc http limit at 128000 max burst 0 bounded yes admin MikroTik queue tree gt print Flags X disabled I invalid D dynamic O D name A_Simple parent etherl flow limit at 128000 max burst 20 queue default priority 8 weight 1 allot 1514 bounded yes 1 name HTTP parent etherl flow abc http limit at 128000 max burst 0 Q ueue default priority 8 weight 1 allot 1514 bounded yes admin MikroTik queue tree gt print brief Flags X disabled I invalid D dynamic AME PARENT FLOW LIMIT AT PACKETS BYTES 1 DA Simple etherl 128000 0 0 0 HTTP etherl abc http 128000 0 0 admin MikroTik queue tree gt Troubleshooting e The queue is not added for the correct interface Add the queue to the interface through which the traffic is leaving the router Queuing works only for packets leaving the router e The source destination addresses of the packets do not match the values specified in the queue setting Make sure the source and destination addresses as well as network masks are specified correc
554. t to Multipoint Wireless LAN 0 IP Network Configuration 4 Point to Point Wireless LAN 0 IP Network Configuration 0 Testing the Network Connectivity 4 Point to Point Wireless LAN with Windows Client 0 IP Network Configuration 0 Testing the Network Connectivity MikroTik RouterOS V2 6 Reference Manual 201 WaveLAN ORiINOCO 2 4GHz 11Mbps Wireless Interface Wireless Adapter Hardware and Software Installation Software Packages The MikroTik Router should have the wavelan software package installed The software package file wavelan 2 6 x npk can be downloaded from MikroTik s web page www mikrotik com To install the package please upload the correct version file to the router and reboot Use BINARY mode ftp transfer After successful installation the package should be listed under the installed software packages list for example admin MikroTik gt sys package print Flags I invalid NAME VERSION BUILD TIME UNINSTALL 0 system 2 6beta4 aug 09 2002 20 22 14 no 1 wavelan 2 6beta4 aug 09 2002 20 31 48 no 2 ppp 2 6beta4 aug 09 2002 20 28 01 no 3 pppoe 2 6beta4 aug 09 2002 20 29 18 no 4 pptp 2 6beta4 aug 09 2002 20 28 43 no 5 ssh 2 6beta4 aug 09 2002 20 25 31 no admin MikroTik gt Software License The 2 4GHz wireless adapters require the 2 4GHz wireless feature license One license is for one installation of the MikroTik RouterOS disregarding how many cards are installed in one PC box The wireless feature is
555. t Flags X disabled D dynamic R running NAME TYPE MTU O R ether1 ether 1500 R ether2 ether 1500 admin MikroTik gt ip address print Flags X disabled I invalid D dynamic ADDRESS NETWORK BROADCAST INTERFACE 0 10 0 0 174 24 10 0 0 174 10 4 00 255 etherl 192 168 0 1 24 192 168 0 0 192 168 0 255 ether2 admin MikroTik gt ip route print Flags X disabled I invalid D dynamic J rejected Cc connect S static R rip O ospf B bgp DST ADDRESS G GATEWAY DISTANCE INTERFACE 0 DC 192 168 0 0 24 r 0 0 0 0 0 ether2 1 DC 10 0 0 0 24 r 0 0 0 0 0 etherl fadmin MikroTik gt Note that no default route has been configured The route will be obtained using the RIP The necessary configuration of the RIP general settings is as follows admin MikroTik routing rip gt set redistribute connected yes admin MikroTik routing rip gt print redistribute static no redistribute connected yes redistribute ospf no redistribute bgp no metric static 1 metric connected 1 metric ospf 1 metric bgp 1 update timer 30s timeout timer 3m garbage timer 2m MikroTik RouterOS V2 6 Reference Manual 357 Routing Information Protocol RIP fadmin MikroTik routing rip gt The minimum required configuration of RIP interface is just enabling the ether1 admin MikroTik routing rip interface gt add interface etherl admin MikroTik routing rip interface gt print Flags I inactive 0 interface
556. t local address 10 0 103 1 remote address 10 0 103 2 routes admin HomeOffice ppp secret gt Then the user should be added in the PPTP server list admin HomeOffice interface pptp server gt add user ex admin HomeOffice interface pptp rver gt print Flags X disabled D dynamic R running NAME USER MTU CLIENT ADDRESS UPTIME ENC 0 pptp inl ex admin HomeOffice interface pptp server gt a And finally the server must be enabled admin HomeOffice interface pptp server server gt set enabled yes admin HomeOffice interface pptp server server gt print enabled yes mtu 1460 mru 1460 authentication mschap2 default profile default admin HomeOffice interface pptp server server gt Add a PPTP client to the RemoteOffice router admin RemoteOffice interface pptp client gt add connect to 192 168 80 1 user ex password lkjrht disabled no admin RemoteOffice interface pptp client gt print Flags X disabled R running O R name pptp out1 mtu 1460 mru 1460 connect to 192 168 80 1 user ex password 1kjrht profile default add default route no admin RemoteOffice interface pptp client gt Thus a PPTP tunnel is created between the routers This tunnel is like an Ethernet point to point connection between the routers with IP addresses 10 0 103 1 and 10 0 103 2 at each router It enables direct communication between the rout
557. t 64000 max burst 0 bounded yes admin MikroTik queue tree gt print Flags X disabled I invalid D dynamic 0 name Up parent Public flow limit at 64000 max burst 0 queue default priority 8 weight 1 allot 1514 bounded yes admin MikroTik queue tree gt Next mark the traffic from the FTP server We will mark only TCP port 20 because that port is used to send and receive FTP data admin MikroTik ip firewall mangle gt add src address 192 168 0 17 32 20 protocol tcp mark flow Server_Up in interface Local admin MikroTik ip firewall mangle gt print Flags X disabled I invalid D dynamic 0 src address 192 168 0 17 32 20 in interface Local dst address 0 0 0 0 0 0 65535 protocol tcp tcp options any icmp options any any flow src mac address 00 00 00 00 00 00 limit count 0 limit burst 0 limit time 0s action accept mark flow Server_Up tcp mss dont chang admin MikroTik ip firewall mangle gt The second mangle rule will match the rest of the traffic from the network admin MikroTik ip firewall mangle gt add src address 0 0 0 0 0 mark flow Local_Up in interface Local admin MikroTik ip firewall mangle gt print Flags X disabled I invalid D dynamic 0 src address 0 0 0 0 0 in interface Local dst address 0 0 0 0 0 0 65535 protocol tcp tcp options any icmp options any any flow src mac address 00 00 00 00 00 00 limit count 0 limit burst 0 limit time 0s action ac
558. t A espol Aironet PCxx00 1500 RA lt petherb Ethemet 1500 ae owed PUE 1500 The Winbox Console uses TCP port 3987 After logging on to the router you can work with the MikroTik router s configuration through the Winbox console and perform the same tasks as using the regular console Overview of Common Functions You can use the menu bar to navigate through the router s configuration menus open configuration windows By double clicking on some list items in the windows you can open configuration windows for the specific items and so on There are some hints for using the Winbox Console e To open the required window simply click on the corresponding menu item e To add a new entry you should click on the icon in the corresponding window e To remove an existing entry click on the icon e To enable an item click on the Y icon e To disable an item click on the icon e To make or edit a comment for a selected item click on the amp icon e To refresh the window click on the icon MikroTik RouterOS V2 6 Reference Manual 14 Accessing the Router Remotely Using Web Browser and WinBox Console e To undo an action click on the icon above the main menu e To redo an action click on the icon above the main menu e To logout from the Winbox Console click on the icon Troubleshooting for Winbox Console e Cannot get the MikroTik RouterOS Winbox to start The Missing RouterOS Winbox plugins message
559. t of Atheros chipset based hardware that is tested to work with MikroTik RouterOS e Intel 5000 series e Dlink DWL A520 O Copyright 1999 2002 MikroTik MikroTik RouterOS V2 6 Reference Manual 79 Bridge Interface Document revision 12 Dec 2002 This document applies to the MikroTik RouterOS V2 6 Overview MAC level bridging of Ethernet packets is supported Ethernet Ethernet over IP EoIP Prism Atheros and RadioLAN interfaces are supported All 802 11b and 802 11a client wireless interfaces both ad hoc and infrastructure or station modes do not support this because of the limitations of 802 11 it is possible to bridge over them using the Ethernet over IP protocol please see documentation on EoIP Features include e Spanning Tree Protocol STP e Multiple bridge interfaces e Bridge associations on a per interface basis e Protocol can be selected to be forwarded or discarded e MAC address table can be monitored in real time e IP address assignment for router access e Bridge interfaces can be firewalled Contents of the Manual The following topics are covered in this manual e Installation e Hardware Resource Usage e Bridge Setup e Port Settings e Bridge Monitoring e Bridge Firewall Additional Bridge Firewall Resources e Troubleshooting Installation The bridge feature is included in the system package No installation is needed for this feature Hardware Resource Usage When Bridge is us
560. t package too For package dependencies see the section about contents of the software packages below The system package wont be uninstalled even if marked for uninstallation Software Package Installation Instructions The software package files are compressed binary files which can be downloaded from MikroTik s web page www mikrotik com Download section The full name of the package file consists of a descriptive name version number and file extension npk For example system 2 6beta4 npk ppp 2 6beta4 npk pppoe 2 6beta4 npk etc To install upgrade newer version of the MikroTik RouterOS system software please follow the upgrade instructions below e Check the availability of free HDD space on the router using the system resource print command MikroTik RouterOS V2 6 Reference Manual 50 Software Package Installation and Upgrading admin MikroTik gt system resource print uptime 2d8h31m33s free memory 3328 kB total memory 29504 kB cpu WinChip cpu load 0 free hdd space 5679 kB total hdd space 46478 kB admin MikroTik gt Note If there is not enough free disk space for storing the upgrade packages disk space can be freed up by uninstalling some software packages which provide functionality not required for your needs e If the free disk space is sufficient for storing the upgrade packages connect to the router using ftp Use user name and password of a user with full access privileges e Select the BINA
561. t rate For that set for example supported rates 6Mbps 24Mbps 36Mbps Do not forget to include all basic rates of your access point default is 6Mbps Monitoring the Interface Status In station mode the atheros interface status can be monitored using the interface atheros monitor command admin MikroTik interface atheros gt monitor atherosl status connected to ess frequency 5240MHz tx rate 36Mbps MikroTik RouterOS V2 6 Reference Manual 70 Atheros 5GHz 54Mbps Wireless Interface rx rate 9Mbps ssid testing bssid 00 06 AB 00 37 88 signal strength 24 admineMikroTik interface atheros gt Argument description status status of the interface searching for network the card has not registered to an AP and is searching for one to register to authenticating the card is trying to authenticate on an AP associating the card is trying to associate with an AP 4 connected to ess the card has registered to an AP frequency the frequency that is used for the connection tx rate the actual transmitting data rate of the connection rx rate the actual receiving data rate of the connection ssid the Service Set Identifier bssid the Basic Service Set Identifier actually the MAC address of the access point signal strength the signal strength The monitor command does not work if the interface is disabled or the mode is ap bridge or bridge Access Point Mode Co
562. t route should be set to the gateway router 10 1 1 254 not the AP 10 1 1 250 admin MikroTik ip route gt add gateway 10 1 1 254 admin MikroTik gt ip route print Flags X disabled I invalid D dynamic J rejected G connect S static R rip O ospf B bgp DST ADDRESS G GATEWAY DISTANCE INTERFACE 0 Ss 0 0 0 0 0 r 10 1 1 254 1 wavelanl 1 DC 192 168 0 0 24 r 0 0 0 0 0 etherl 2 DC 10 1 1 0 24 r 0 0 040 0 wavelanl admin MikroTik ip route gt Point to Point Wireless LAN Let us consider the following point to point wireless network setup with two MikroTik Wireless Routers D Internet A Internet interface Public i Wireless Router Gat address 10 1 1 12 24 aA 3 wnet gw 0 e interface wil A ssid1 b link y 2 4GHz mode ad hoc 3 11Mbps IS x interface wavelan1 A mode ad hoc address 10 0 0 1 30 interface etherl address 192 168 0 254 24 ssid1 b_link A Bouter fade sa Ee MikroTik Local Network 192 168 0 0 24 e a o i Workstation so 192 168 0 1 192 165 0 2 To establish a point to point link the configuration of the wireless interface should be as follows e A unique Service Set Identificator should be chosen for both ends say b_link e A channel frequency should be selected for the link say 2412MHz e The operation mode should be set to ad hoc The following command should be issued to change the settings for the wavelan interface
563. tal aug 09 2002 20 28 43 no 6 ssh 2 6beta aug 09 2002 20 25 31 no F advanced tools 2 6betal aug 09 2002 20 53 37 no 8 bgp 2 6betal aug 09 2002 20 34 22 no 9 ospf 2 6betal aug 09 2002 20 34 08 no admin MikroTik gt The list shows the number name version and build time of the installed software packages If the functions provided by a software package are not required for the router implementation the package can be scheduled for uninstallation at the next shutdown reboot of the router Use the system package set command to mark the packages for uninstallation admin MikroTik gt system package set 6 uninstall yes admin MikroTik gt system package print Flags I invalid NAME VERSION BUILD TIME UNINSTALL 0 system 2 6betal aug 09 2002 20 22 14 no 1 rip 2 6betal aug 09 2002 20 33 41 no 2 ppp 2 6betal aug 09 2002 20 28 01 no 3 plist 2 6betal aug 09 2002 20 32 58 no 4 pppoe 2 6betal aug 09 2002 20 29 18 no 5 pptp 2 6betal aug 09 2002 20 28 43 no 6 ssh 2 6betal aug 09 2002 20 25 31 yes 7 advanced tools 2 6beta4 aug 09 2002 20 53 37 no 8 bgp 2 6betal aug 09 2002 20 34 22 no 9 ospf 2 6betal aug 09 2002 20 34 08 no fadmin MikroTik gt If a package is marked for uninstallation but it is required for another dependent package then the marked package cannot be uninstalled For example the ppp package wont be uninstalled if the pptp package is installed You should uninstall the dependen
564. tatic server configuration is as follows OSPF Main gt ip route add dst address 10 3 0 1 32 gateway 10 2 0 1 ppp secret add name ospf service pptp password asdf4 local address 10 4 0 2 remote address 10 4 0 1 interface pptp server add name pptp inl user ospf interface pptp server server set enabled yes interface pptp server print D Flags X disabled dynamic R running NAME USER MTU CLIENT ADDRESS UPTIME ENC 0 pptp inl ospf OSPF Main gt The IP address configuration of the OSPF_Main router is as follows OSPF Main gt ip address print Flags X disabled I invalid D dynamic ADDRESS NETWORK BROADCAST INTERFACE 0 10 0 0 214 24 10 0 0 0 10 0 0 255 main_gw 1 10 2 0 2 24 10 2 0 0 10 200 299 isp2 2 10 1 0 2 24 10 1 0 0 10 1 0 255 peerl 3 D 10 4 0 2 32 10 4 0 1 0 0 0 0 pptp inl OSPF Main gt OSPF settings OSPF Main routing ospf gt print router id 0 0 0 0 distribute default if installed as type 1 redistribute connected as type 1 redistribute static no redistribute rip no redistribute bgp no metric default 1 metric connected 20 metric static 20 metric rip 20 metric bgp 20 OSPF Main routing ospf gt interface add interface pptp inl cost 50 OSPF Main routing ospf gt interface print O interface pmi cost 150 priority 1 authentication key retransmit interval 5s transmit delay 1s hello interval 10s dead interval 40s
565. te router which has a corresponding interface configured with the same Tunnel ID e The EoIP interface appears as an Ethernet interface under the interface list e This interface supports all features of and Ethernet interface IP addresses and other tunnels may be run over the interface MikroTik RouterOS V2 6 Reference Manual 104 Ethernet over IP EolP Tunnel Interface e The EoIP protocol encapsulates Ethernet frames in GRE IP protocol number 47 packets just like PPTP and sends them to the remote side of the EoIP tunnel EolP Setup IP EoIP Interface management can be accessed under the interface eoip submenu You can add an EoIP tunnel interface using the interface eoip add command admineMikroTik interface eoip gt add creates new item with specified property values arp Address Resolution Protocol copy from item number disabled mtu Maximum Trasfer Unit name New tunnel name remote address Remote address of tunnel tunnel id admin MikroTik interface eoip gt add name to_mt2 tunnel id 1 remote address 10 5 8 1 admin MikroTik interface eoip gt print Flags X disabled R running 0 X name to_mt2 mtu 1500 arp enabled remote address 10 5 8 1 tunnel id 1 admin MikroTik interfac oip gt enable 0 admin MikroTik interface eoip gt print Flags X disabled R running OR name to_mt2 mtu 1500 arp enabled remote address 10 5 8 1 tunnel id 1 admin MikroTik interfac oip gt enable 0 Desc
566. template pages and uploading them to the hotspot folder on MikroTik router These pages are described in detailes later on Authentication After client computer receives temporary IP address from HotSpot DHCP server going to any HTTP address with web browser will be redirected to HotSpot authentication page prompting for username and password Password together with HotSpot generated challenge string is hashed using MD5 algorithm which in this case is implemented using JavaScript and is executed on client s computer by web browser After that the hash result together with username is sent over Ethernet network to HotSpot servlet So password is never sent in plain text over ip network HotSpot can authenticate users using local user database or some RADIUS server Which option is used is determined by ip hotspot radius client enabled parameter If radius client is enabled RADIUS authentication is used otherwise local user authentication is done If authentication is done locally profile corresponding to that user is used otherwise in case of RADIUS default profile is used to set default values for parameters which are not set in RADIUS access accept message If authentication by http cookie is enabled then after each successful login cookie is sent to web browser and the same cookie is added to active HTTP cookie list Next time when user will try to log in web browser will send http cookie This cookie will be compared to the one on
567. terface Serial0 description connected to MikroTik ip address 1 1 1 2 255 255 255 252 serial restart delay 1 j ip classless ip route 0 0 0 0 0 0 0 0 10 1 1 254 end CISCO Send ping packets to the MikroTik router CIscoO ping 1 1 1 1 MikroTik RouterOS V2 6 Reference Manual 144 MOXA C502 Synchronous Interface Typ scape sequence to abort Sending 5 100 byte ICMP Echos to 1 1 1 1 timeout is 2 seconds Success rate is 100 percent 5 5 round trip min avg max 28 32 40 ms CISCO Copyright 1999 2002 MikroTik MikroTik RouterOS V2 6 Reference Manual 145 General Point to Point Settings Document revision 30 Dec 2002 This document applies to the MikroTik RouterOS V2 6 Overview This section describes setting user configuration for Point to Point links as PPP PPTP PPPoE as well as ISDN P2P point to point authentication on the MikroTik RouterOS is supported by a local authentication database or a RADIUS client Authentication is supported for PPP asynchronous connections PPPoE PPTP and ISDN PPP local only Authentication protocols supported are PAP CHAP and MS CHAPv 2 The authentication process is as follows P2P sends a user authentication request the user ID is first checked against the local user database for any users which have the PPP attribute if no matching user is found then the RADIUS client if enabled will request authentication from the RADIUS server Note that the use
568. teway domain name DNS server s and WINS server s for Windows clients information To use MikroTik RouterOS DHCP server feature you should 1 Specify address pool to be used for DHCP clients Address pools are added managed under the ip pool menu for example MikroTik RouterOS V2 6 Reference Manual 213 DHCP Client and Server admin MikroTik ip pool gt add name our dhcp clients ranges 10 0 0 2 10 0 1 254 Do not inlude the DHCP server s interface s address into the pool range See IP Pool Manual for more details 2 Add a DHCP server to the interface For example admin MikroTik ip dhcp server gt add name dhcp office address pool our dhcp clients interface etherl lease time 72h netmask 255 255 255 0 gateway 10 0 0 1 dns server 10 0 0 1 159 148 60 2 domain mt lv admin MikroTik ip dhcp server gt enable dhcp offic admin MikroTik ip dhcp server gt print Flags X disabled I invalid 0 name dhcp office interface etherl lease time 72h address pool our dhcp clients netmask 255 255 255 0 gateway 10 0 0 1 src address 10 0 0 1 dns server 10 0 0 1 159 148 60 2 domain mt lv wins server add arp yes admin MikroTik ip dhcp server gt Descriptions of arguments name descriptive name for server interface All Ethernet like interfaces may run a DHCP server lease time Dictates the time that a client may use an address Suggested setting is three days The c
569. teway 2 2 2 2 The Second Router admin Mikrotik system script gt add name connection_down source ip route set routel gateway 3 3 3 1 admin Mikrotik system script gt add name connection_up source ip route set routel gateway 2 2 2 1 Setting up Netwatch To use netwatch you need the advanced tools feature package installed Please upload it to the router and reboot When installed the advanced tools package should be listed under the system package print list Add the following settings to the first router admin Mikrotik tool netwatch gt add host 2 2 2 1 interval 5s up script connection_up down script connection_down Add the following settings to the second router admin Mikrotik tool netwatch gt add host 2 2 2 2 interval 5s up script connection_up down script connection_down Copyright 1999 2002 MikroTik MikroTik RouterOS V2 6 Reference Manual 128 MOXA C101 Synchronous Interface Document revision 5 Nov 2002 This document applies to the MikroTik RouterOS V2 6 Overview The MikroTik RouterOS supports the MOXA C101 Synchronous 4Mb s Adapter hardware The V 35 synchronous interface is the standard for VSAT and other satellite modems However you must check with the satellite system supplier for the modem interface type For more information about the MOXA C101 Synchronous 4Mb s Adapter hardware please see the relevant documentation e http www moxa com prod
570. the NAT rule set This is important MikroTik RouterOS V2 6 Reference Manual 218 Firewall Filters and Network Address Translation NAT when setting up firewall rules since the original packets might be already modified by the NAT e If the packet should be forwarded through the router the firewall rules of the forward chain are applied next e When a packet leaves an interface firewall rules of the output chain are applied first then the NAT rules and queuing IP packet flow through the router is given in the following diagram INCOMING INTERFACE Firewall MANGLE NO ls this a new connection Firewall look up DST NAT rules If needed change DST addr port Routing table ls the packet for the router Firewall FORWARD YES Firewall INPUT IP packet for the router ROUTER IP Firewall Configuration ROUTER IP packet from the router Routing table Firewall MANGLE Firewall DUTPUT Accounting ls this a new connection Firewall look up SRC NAT rules If needed change SRC addr port OUTGOING INTERFACE The IP firewall management can be accessed under the ip firewall menu Firewall can be managed through the WinBox Console as well Go to IP Firewall and select the desired chain Press the List button to MikroTik RouterOS V2 6 Reference Manual 219 Firewall Filters and Network Address Translation NAT acces
571. the enable command admin MikroTik gt interface print Flags X disabled D dynamic R running AME TYPE MTU O R etherl ether 1500 1 X prismi prism 1500 admin MikroTik gt interface enable 1 admin MikroTik gt interface print Flags X disabled D dynamic R running AME TYPE MTU O R etherl ether 1500 1 prismi prism 1500 admin MikroTik gt More configuration and statistics parameters can be found under the interface prism menu admin MikroTik interface prism gt print Flags X disabled R running 0 name prisml mtu 1500 mac address 00 90 4B 02 17 E2 arp enabled mode station root ap 00 00 00 00 00 00 frequency 2412MHz ssid mikrotik default authentication yes default forwarding yes max clients 2007 card type generic tx power auto supported rates 1 11 basic rates 1 admin MikroTik interface prism gt Argument description name Interface name same as for other interfaces mtu Maximum transfer unit same as for other interfaces mac address MAC address of card In AP mode this will also be BSSID of BSS arp Address Resolution Protocol one of the disabled the interface will not use ARP protocol enabled the interface will use ARP protocol proxy arp the interface will be an ARP proxy see corresponding manual 4 reply only the interface will only reply to the requests originated to its own IP addresses but neighbour MAC add
572. ther one and vice versa Statistics can be printed out using print stats command admin MikroTik ip ipsec policy gt print stats Flags X disabled I invalid 0 src address 10 0 0 205 32 any dst address 10 0 0 201 32 any protocol all ph2 state no phase2 in accepted 0 in dropped 0 out accepted 0 out dropped 0 encrypted 0 not encrypted 0 decrypted 0 not decrypted 0 admin MikroTik ip ipsec policy gt Description of the printout ph2 state progress of key establishing expired means there are some leftovers from previous phase2 and is similar to no phase2 which means nothing has happened established means SAs are in place and everything should be working Anything else falls between these last two states in accepted how many incoming packets were passed through by policy without attempting decryption in dropped how many incoming packets were dropped by policy without attempting decryption out accepted how many outgoing packets were passed through by policy without encryption out dropped how many outgoing packets were dropped by policy without attempting encryption encrypted how many outgoing packets were encrypted and passed on successfully not encrypted how many outgoing packets policy attempted to encrypt but discarded for any reason decrypted how many incoming packets policy decrypted and passed on successfully not decrypted how many incoming packet
573. this protocol This protocol makes multiple network schemes possible Network setups with IPIP interfaces e Possibility to tunnel Intranets over the Internet e Possibility to avoid using source routing Contents of the Manual The following topics are covered in this manual e Installation e Hardware Resource Usage e PIP Interface and Protocol Description e PIP Setup e Additional Resources Installation The IP over IP tunnel feature is included in the system package No installation is needed for this feature Hardware Resource Usage This protocol uses a minimum of resources IPIP Interface and Protocol Description An IPIP interface should be configured on two routers that have the possibility for an IP level connection and are RFC 2003 compliant The IPIP tunnel may run over any connection that transports IP Each IPIP tunnel interface can connect with one remote router that has a corresponding interface configured An unlimited number of IPIP tunnels may be added to the router For more details on IPIP tunnels see RFC 2003 IPIP Setup IP over IP Interface management can be accessed under the interface ipip submenu You can add an IPIP tunnel interface using the interface ipip add command MikroTik RouterOS V2 6 Reference Manual 119 IP over IP IPIP Tunnel Interface admin MikroTik interface ipip gt add name test_IPIP mtu 1480 local address 10 0 0 204 remote address 10 0 0 171 admin MikroTik
574. time e Access list by source destination and URL e Cache access list Contents of the Manual The following topics are covered in this manual e Installation Software License e Hardware Resource Usage e MikroTik Web Proxy Description e MikroTik Web Proxy Setup e Monitoring the Web Proxy e Access List e Direct Access List e Managing the Cache e Transparent Mode e Setup Example e Troubleshooting Installation The MikroTik Web Proxy feature is included in the web proxy package To install the web proxy package upload it to the router and reboot After successful install of the web proxy package it should be listed under the system package print list Software License The web proxy does not require any additional Software License It works with the Basic License Note that web proxy does not work with Demo License Hardware Resource Usage The proxy cache can use as much disk space as there is allocated for 1t When the system allocates the space for the proxy cache 1 7th of the total partition disk size is reserved for the system but not less than SOMB The rest is left for the proxy cache The system RAM size is considered as well when allocating the cache size The cache size is limited so that there are at least 11 2MB of RAM per 1GB of cache plus 32MB of RAM is reserves for the system MikroTik RouterOS V2 6 Reference Manual 315 WEB Proxy Note that it may be useful to have Web proxy runni
575. ting changes as follows OSPF Main gt ip route print Flags X disabled I invalid D dynamic J rejected E connect S static R rip O ospf B bgp DST ADDRESS G GATEWAY DISTANCE INTERFACE 0 S 0 0 0 0 0 E TO0 0 0 1 1 main_gw E SEOs 30 L32 0 2000 L 1 isp2 2 DO 192 168 3 0 24 r 10 4 0 1 110 pptp inl 3 DO 192 168 0 0 24 104 01 110 pptp in1l MikroTik RouterOS V2 6 Reference Manual 349 Open Shortest Path First OSPF Routing Protocol 4 DO 10 4 0 2 32 r 10 4 0 1 110 pptp in1l 5 DC 10 4 0 1 32 r 0 0 0 0 0 pptp in1l 6 DO 10 3 0 0 24 r 10 4 0 1 110 pptp in1l 7 DC 10 2 0 0 24 r 0 0 0 0 0 isp2 8 DO 10 2 0 2 32 r 10 4 0 1 110 pptp inl 9 DC 10 1 0 0 24 r 0 0 0 0 0 peerl 10 DC 10 0 0 0 24 r 0 0 0 0 0 main_gw OSPF Main gt OSPF peer 1 gt ip route print Flags X disabled I invalid D dynamic J rejected Cc connect S static R rip O ospf B bgp DST ADDRESS G GATEWAY DISTANCE INTERFACE Ss 10 2 0 0 24 ri 1035002 1 backup 1 S 192 168 3 0 24 r 192 168 0 20 1 local 2 S 10 2 0 2 32 r L03 PA 1 backup 3 DO 0 0 0 0 0 E TOnZ 110 pptp out1 4 DC 192 168 0 0 24 r 0 0 0 0 0 local 5 DC 10 4 0 2 32 r 040 020 0 pptp outl 6 DO 10 4 0 1 32 r 10 4 0 2 110 pptp outl 7 DC 10 3 0 0 24 r 0 0 0 0 0 backup 8 DC 10 1 0 0 24 PO O IO ENO 0 main_link 9 DO 10 0 0 0 24 E LOL 062 110 pptp outl OSPF peer 1 gt AS we see all routing goes t
576. tion To see the interface settings use admin MikroTik ip neighbor interface gt print NAME DISCOVER 0 Public yes 1 Local yes admineMikroTik ip neighbor interface gt To change the interface settings use ip neighbor interface set command admin MikroT admin Mikrol ik ip neighbor interface gt ik ip neighbor interface gt NAME DISCOVER 0 Public no 1 Local yes admineMikroTik ip neighbor interface gt set Public discover no print Copyright 1999 2002 MikroTik Copyright 1999 2002 MikroTik MikroTik RouterOS V2 6 Reference Manual 306 IP Route Management Document revision 16 Oct 2002 This document applies to the MikroTik RouterOS V2 6 Overview The following Manual discusses managing the IP routes MikroTik RouterOS has following types of routes e Connected Routes are created automatically when adding address to an interface These routes specify networks which can be accessed directly through the interface e Static Routes are user defined routes that specify the router that can forward traffic to the specified network They are useful for specifying the default gateway e About OSPF RIP and BGP dynamic routing protocols see respective manuals Contents of the Manual The following topics are covered in this manual e Adding Static Routes e Equal Cost Multipath Routing e Policy Routing Application Example for Policy Routing e Additional Resources Adding
577. tion that can be used to hide private networks behind one external IP address of the router For example masquerading is useful if you want to access the ISP s network and the Internet appearing as all requests coming from one single IP address given to you by the ISP The masquerading will change the source IP address and port of the packets originated from the private network to the external address of the router when the packet is routed through it Masquerading helps to ensure security since each outgoing or incoming request must go through a translation process that also offers the opportunity to qualify or authenticate the request or match it to a previous request Masquerading also conserves the number of global IP addresses required and it lets the whole network use a single IP address in its communication with the world To use masquerading a source NAT rule with action masquerade should be added to the src nat rule set admin MikroTik ip firewall src nat gt add src address 10 5 91 0 24 0 65535 out interface etherl action masquerade admin MikroTik ip firewall src nat gt print Flags X disabled I invalid 0 src address 10 5 91 0 24 0 65535 dst address 0 0 0 0 0 0 65535 out interface etherl protocol all icmp options any any flow limit count 0 limit burst 0 limit time 0s action masquerade to src address 0 0 0 0 to src port 0 65535 admineMikroTik ip firewall src nat gt If the packet matches the
578. tly The most common mistake is wrong address netmask e g 10 0 0 217 24 wrong 10 0 0 217 32 right or 10 0 0 0 24 right e The simple queuing does not work when masquerading is in use Masquerading changes the source address of packets leaving the router outgoing traffic Therefore the simple queuing rule should match packets having the router s external address as source Alternatively queue trees could be used for marked packets Use the MANGLE feature to mark the packets e The traffic is not limited when the bounded parameter is not set to yes Use the bounded flag for the queue if you do not want to exceed the set limit when other queues are not using the available bandwidth for the interface e Queuing does not work for the start of the file transfer It starts limiting the bandwidth only after the first x packets have been downloaded Do not use the burst parameter value greater than 0 if you do not want to allow any traffic bursts Queue Applications One of the ways to avoid network traffic jams is usage of traffic shaping in large networks Traffic shaping and bandwidth allocation is implemented in the MikroTik RouterOS as queuing mechanism Thus the network administrator is able to allocate a definite portion of the total bandwidth and grant it to a particular network segment or interface Also the bandwidth of particular nodes can be limited by using this mechanism Further on several examples of using band
579. tmask 255 255 2 f ToRemoteOffice RE mietetice f 40 150 1 2 32 FromLaptop To Intemet 10 150 1 254 32 Ey 192 168 81 1 24 j nd e TPA GO 450 1 254 24 192 168 80 111 24 1450 7 network 10 150 1 0 netmask 255 255 255 0 m Workstation 10 150 1 1 24 The router in this example e RemoteOffice Interface Tolnternet 192 168 81 1 24 Interface Office 10 150 1 254 24 The client computer can access the router through the Internet On the PPTP server a user must be set up for the client admin RemoteOffice ppp secret gt add name ex service pptp password 1k gt 3rht local address 10 150 1 254 remote address 10 150 1 2 admin RemoteOffice ppp secret gt print detail Flags X disabled 0 name ex service pptp caller id password 1k3jrht profile default local address 10 150 1 254 remote address 10 150 1 2 routes admin RemoteOffice ppp secret gt MikroTik RouterOS V2 6 Reference Manual 171 Point to Point Tunnel Protocol PPTP Then the user should be added in the PPTP server list admin RemoteOffice interface pptp rver gt add name FromLaptop user ex admin RemoteOffice interface pptp server gt print Flags X disabled D dynamic R running NAME USER MTU CLIENT ADDRESS UPTIME ENC 0 FromLaptop ex admin RemoteOffice interface pptp server gt n And the server must be enabled admin RemoteOffice interface pptp admin Rem
580. to Point Encryption to make encrypted links The purpose of this protocol is to make well managed secure connections between 1 routers and routers 2 routers and PPTP clients clients are available for almost all OSs including Windows PPTP includes PPP authentication and accounting for each PPTP connection Full authentication and accounting of each connection may be done through a RADIUS client or locally There are also additional PPP configurations for management of users and connections can be found in General Point to Point Settings manual MPPE 40bit RC4 and MPPE 128bit RC4 encryption are supported PPTP traffic uses TCP port 1723 and IP protocol ID 47 as assigned by the Internet Assigned Numbers Authority IANA PPTP can be used with most firewalls and routers by enabling traffic destined for TCP port 1723 and protocol 47 traffic to be routed through the firewall or router PPTP connections may be limited or impossible to setup though a masqueraded NAT IP connection Please see the Microsoft and RFC links at the end of this section for more information PPTP Client Setup Each PPTP connection is composed of a server and a client The MikroTik RouterOS may function as a server or client or for various configurations it may be the server for some connections and client for other connections For example the client created below could connect to a Windows 2000 server another MikroTik Router or another router which supports a PPTP
581. to the gateway 10 1 1 12 where it will be forwarded to Joe If you want to call Joe directly add a phonebook record for it usr config pbook add name Joe ip 10 0 0 224 e164 33 Use the telephony logging feature on the gateway to debug your setup Setting up the MikroTik Router and CISCO Router Here are some hints on how to get working configuration for telephony calls between CISCO and MikroTik router Tested on e MT 2 4 1 e CISCO 1750 Configuration on the MikroTik side e G 729a codec MUST be disabled otherwise connections are not possible at all ip telephony codec disable G 729A 8k sw e G 711 ALaw codec should not be used in some cases there is no sound ip telephony codec disable G 711 ALaw 64k sw G 711 ALaw 64k hw e Fast start has to be used otherwise no ring back tone and problems with codec negotiation ip telephony voice port set cisco fast start yes e Telephone number we want to call to must be sent to Cisco for example ip telephony numbers add destination pattern 101 voice port cisco prefix 101 e Telephone number cisco will call us must be assigned to some voice port for example ip telephony numbers add destination pattern 098 voice port linejack Configuration on the CISCO side e IP routing has to be enabled ip routing e Default values for fast start can be used voice service pots default h323 call start MikroTik RouterOS V2 6 Reference Manual 296 IP Telephony
582. to view the list of available telephony voice ports and their configuration admin MikroTik ip telephony voice port gt print Flags X disabled NAME 0 PBX_Line 1 ISDN_GW 2 VoIP_GW AUTODIAL admin MikroTik ip telephony voice port gt Description of arguments name name assigned to the voice port by user type type of the installed telephony voice port linejack phonejack isdn voip voicetronix zaptel TYPE linejack isdn voip autodial number to be dialed automatically if call is coming in from this voice port Note that if autodial does not exactly match an item in ip telephony numbers there can be two possibilities e if autodial is incomplete rest of the number is asked local voice port or incoming call is denied VoIP e if autodial is invalid line is hung up PSTN line busy tone is played POTS or incoming call is denied VoIP Monitoring the Voice Ports Use the monitor command under the corresponding menu to view the current state of the port for example admin MikroTik ip telephony voice port linejack gt monitor PBX_Line status port direction line status phone number remote party name codec duration connection phone port to ip unplugged 26 pbx_20 10 5 8 12 G 723 1 6 3k hw 14s admin MikroTik ip telephony voice port linejack gt Note that monitoring feature is not available for VoIP ports Argument description status curre
583. tone frequency 425x0 busy tone cadence 480 480 480 480 ring tone frequency 425x0 ring tone cadence 1000 4000 Argument description flag P predefined cannot be changed or removed Users can add their own regional settings which can be changed and removed name Name of the regional setting busy tone cadence Busy tone cadence in ms 0 end of cadence busy tone frequency Frequency and volume gain of busy tone Hz x dB data access arrangement ring voltage impedance setting for line jack card australia france germany japan uk us dial tone frequency Frequency and volume gain of dial tone Hz x dB ring tone cadence Ring tone cadence in ms 0 end of cadence ring tone frequency Frequency and volume gain of ring tone Hz x dB For generating the tone the frequency and cadence arguments are used The dialtone always is continuous signal therefore it does not have the cadence argument When detecting the dialtone it should be at least 100ms long Sometimes it is necessary to add an additional regional setting matching the properties of a particular PBX Use the add command to add a new regional setting admin MikroTik ip telephony region gt add creates new item with specified property values busy tone cadence Busy tone cadence in ms 0 end of cadence busy tone frequency Frequency and volume gain of busy tone Hz x dB copy from item number data access arrangement
584. toolsfo 6 oa bp fof MikroTik RouterOS V2 6 Reference Manual 54 Software Package Installation and Upgrading Troubleshooting e Is it possible to upgrade from 2 5 to 2 6 without configuration loss No you will loose Point to Point interface DHCP and bridge interface settings Also you will have to copy all the PPP users in the new location manually Please Note that you should uninstall telephony package before the upgrade After the upgrade you can put it back and you will not loose the configuration e I have Free Demo license for V2 3 of MikroTik RouterOS and I want to upgrade to V2 6 You will need to obtain a new demo license after the upgrade or purchase the license It can be done prior the upgrade e Not enough space to upgrade the system package Uninstall some packages not in use e The system package does not install because of incorrect version Use system package version that is greater than the currently installed one e Additional packages do not install because of incorrect version of the system package Upgrade the system package first then install the additional packages The packages should be of the same version as your system package e The package file is corrupted after upload Use BINARY mode for file transfer e The package has been successfully installed and the driver loaded but there is no interface in the interface list Obtain the required license to enable the functionality of provided
585. tor name and mt1 is the service name An example of a PPPoE client on the MikroTik RouterOS admin RemoteOffice interface pppoe client gt print Flags X disabled R running 0 X name pppoe outl mtu 1460 mru 1460 interface gig user Jjohn password password profile default service name testSN ac name add default route no dial on demand no use peer dns no Descriptions of settings name this settable name will appear in interface and IP address list when the PPPoE session is active interface interface through which the PPPoE server can be connected The PPPoE client can be attached to any Ethernet like interface for example wireless 10 100 1000 Ethernet and EoIP tunnels mtu and mru represents the MTU and MRU when the 8 byte PPPoE overhead is subtracted from the standard 1500 byte Ethernet packet For encryption subtract four more bits and set the MTU and MRU to 1488 user a user name that is present on the PPPoE server password a user password used to connect the PPPoE server profile default profile for the connection service name The service name set on the access concentrator Many ISPs give user name and address in the form of user name service name ac name This may be left blank and the client will connect to any access concentrator that offers the service name selected add default route Select yes to have a default route adde
586. ts may connect to the Access Point for PPPoE authentication Further for RouterOS clients the radio interface may be set to MTU 1600 so that the PPPoE interface may be set to MTU 1500 This optimizes the transmission of 1500 byte packets and avoids any problems associated with MTUs lower than 1500 It has not been determined how to change the MTU of the Windows wireless interface at this moment PPPoE Troubleshooting e The PPPoE server shows more than one active user entry for one client when the clients disconnect they are still shown and active Set the keepalive timeout parameter in the PPPoE server configuration to 10 if You want clients to be considered logged off if they do not respond for 10 seconds Note that if the keepalive timeout parameter is set to 0 and the only one parameter in PPP profile settings is set to yes then the clients might be able to connect only once e My windows PPPoE client obtains IP address and default gateway from the MikroTik PPPoE server but it cannot ping beyond the PPPoE server and use the Internet PPPoE server is not bridging the clients Configure masquerading for the PPPoE client addresses or make sure you have proper routing for the address space used by the clients or you enable Proxy ARP on the Ethernet interface See the IP Addresses and Address Resolution Protocol ARP Manual e My Windows XP client cannot connect to the PPPoE server You have to specify the Service Name in the propert
587. tspot gt HotSpot management active HotSpot active user list user HotSpot local user list profile HotSpot user profile management server HotSpot DHCP profile management radius client RADIUS client configuration cookie HotSpot active HTTP cookie list print Print current configuration and status get Get value of configuration property set Change hotspot configuration export Export hotspot settings admin MikroTik ip hotspot gt print hotspot address 0 0 0 0 status autorefresh 1m auth mac no auth mac password no auth http cookie no http cookie lifetime ld These are general parameters for HotSpot auth http cookie defines whether HTTP authentication by cookie is enabled auth mac defines whether authentication by ethernet MAC address is enabled auth mac password uses MAC address as password if MAC authorization is enabled hotspot address IP address for HotSpot www access http cookie lifetime validity time of HTTP cookies status autorefresh WWW status page autorefresh time HotSpot RADIUS Client Setup Here is RADIUS client configuration If it is disabled users are authorized locally admin MikroTik ip hotspot radius client gt print MikroTik RouterOS V2 6 Reference Manual 237 enabled accounting primary server secondary server HotSpot Gateway no yes 10 0 0 96 0530220580 secret shared secret authentication port accounting port interim update 1812
588. tted but before putting it into interface queue IPsec policy database is consulted to find out if packet should be encrypted Security Policy Database SPD is a list of rules that have two parts Packet matching Packet source destination protocol and ports for TCP and UDP are compared to values in policy rules one after another Action If rule matches action specified in rule is performed accept continue with packet as if there was no IPsec drop drop packet encrypt encrypt packet Each SPD rule can be associated with several Security Associations SA that determine packet encryption parameters key algorithm SPI Note that packet can only be encrypted if there is usable SA for policy rule By setting SPD rule security level user can control what happens when there is no valid SA for policy rule use if there is no valid SA send packet unencrypted like accept rule acquire send packet unencrypted but ask IKE daemon to establish new SA require drop packet and ask IKE daemon to establish new SA If packet can be encrypted it is encrypted and sent as LOCALLY ORIGINATED packet i e it is processed with output firewall src nat again and IPsec SPD again this way one packet can be encrypted several times if encrypted packet has to be sent over encrypted tunnel itself If packet matches the same SPD rule that it matched before it is sent out without encrypting to avoid encryption loops Decryptio
589. type ansi frame relay dce no chdlc keepalive 10s MikroTik RouterOS V2 6 Reference Manual 96 Cyclades PC300 PCI Adapters admineMikroTik interface cyclades gt Argument description number Interface number in the list name Interface name mtu Maximum Transmit Unit 68 1500 bytes Deafault value is 1500 bytes line protocol Line protocol cisco hdlc frame relay sync ppp media type The hardware media used for this interface E1 T1 V24 V35 X21 clock rate The clock mode or clock rate in bps If 0 the external clock mode is selected For V 35 should be set to 0 to use the external clock from the modem Valeus greater than 0 represent the clock speed which implies an internal clock clock source Source of the clock external internal tx internal line code For T1 E1 channels only The line code AMI B8ZS HDB3 NRZ framing mode For T1 E1 channels only The frame mode CRC4 DA ESF Non CRCA Unframed line build out For T1 channels only Line Build Out Signal Level 0dB 15dB 22 5dB 7 5dB rx sensitivity For T1 E1 channels only Receiver sensitivity long haul short haul The Cyclades PC300 RSV Synchronous PCI Adapter comes with a V 35 cable This cable should work for all standard modems which have V 35 connections For synchronous modems which have a DB 25 connection you should use a standard DB 25 cable Connect a communication de
590. ual SENDING gt gt gt gt ISAKMP OAK GM HASH SA NON KE ID ID RECEIVED lt lt lt ISAKMP OAK GM HASH SA NON KE ID 1D SENDING gt gt gt gt ISAKMP DAK QM H45H Loading IPSec SA Message ID AB379E0 OUTBOUND SPI 44724105 INBOUND SPI 3C3C7481 RECEIWED lt lt lt ISAKMP OAK OM Retransmission SENDING gt gt gt gt ISAKMP OAK QM Retransmission RECEIVED lt lt lt ISAKMP OAK OM Retransmission SENDING gt gt gt gt ISAKMP OAK OM Retransmission 562 b Not in use Data Secured 594b Data Remaining Notinuse 275 IP Telephony Document revision 29 Nov 2002 This document applies to the MikroTik RouterOS V2 6 The MikroTik RouterOS IP Telephony feature enables Voice over IP VoIP communications using routers equipped with the following voice port hardware e Quicknet LineJACK or PhoneJACK analog telephony cards e ISDN cards e Voicetronix OpenLine4 was V4PCI 4 analog telephone lines cards e Zaptel Wildcard X100P IP telephony card 1 analog telephone line Topics covered in this manual e IP Telephony Specifications Supported Hardware Supported Standards Implementation Options e IP Telephony Hardware and Software Installation Software Packages Software License 4 Hardware Installation e IP Telephony Configuration Telephony Voice Ports e Monitoring the Voice Ports Voice Port Statistics Voice Port for Telephony cards Voice Port for ISD
591. uct sync C101 htm The product on line documentation e C101 SuperSync Board User s Manual The User s Manual in pdf format Contents of the Manual The following topics are covered in this manual e Synchronous Adapter Hardware and Software Installation Software Packages Software License System Resource Usage Installing the Synchronous Adapter 0 MOXA C101 PCI variant cabling Loading the Driver for the MOXA C101 Synchronous Adapter e Synchronous Interface Configuration e Troubleshooting e Synchronous Link Applications MikroTik Router to MikroTik Router MikroTik Router to CISCO Router Synchronous Adapter Hardware and Software Installation Software Packages The MikroTik Router should have the moxa c101 synchronous software package installed The software package file moxa c101 2 6 x npk can be downloaded from MikroTik s web page www mikrotik com To install the package please upload the correct version file to the router and reboot Use BINARY mode ftp transfer After successful installation the package should be listed under the installed software packages list for example admin MikroTik gt sys package print Flags I invalid NAME VERSION BUILD TIME UNINSTALL 0 system 2 6beta4 aug 09 2002 20 22 14 no 1 ppp 2 6beta4 aug 09 2002 20 28 01 no 2 moxa c101 2 6beta4 aug 09 2002 20 53 57 no 3 pppoe 2 6beta4 aug 09 2002 20 29 18 no 4 pptp 2 6beta4 aug 09 2002 20 28 43 no 5 ssh 2 6beta4 aug
592. ules should be added ip firewall rule input add in interface prisml dst port 3128 protocol tcp action jump jump target hotspot comment account traffic from hotspot client to transparent web proxy ip firewall rule output add src port 3128 protocol tcp out interface prisml action jump jump target hotspot comment account traffic from transparent web proxy back to hotspot client 5 You may want to prevent multiple logins using the same username password Set the argument value of only one to yes in hotspot profile for example ip hotspot profile set default only one yes MikroTik RouterOS V2 6 Reference Manual 245 HotSpot Gateway 6 If you have dns cache package installed setup local DNS cache and specify HotSpot gateway s address as primary DNS server for DHCP clients for example ip dns cache set dns server 159 148 60 2 enabled yes ip dhcp server set hs_temp dns server 10 5 50 1 159 148 108 1 Customizing the Servlet There are many possibilities to customize what the authorization servlet pages look like e The pages are easily modifiable They are stored on the router s FTP server in hotspot directory e Changing the variables client is sending to the HotSpot gateway it is possible to reduce keyword count to one username or password the client s MAC address may be used as the other value or even to zero License Agreement some predefined values general for all users or client s MAC address may be u
593. umber will conflict with some existing telephone numbers entry it will be added as disabled and dynamic If in gatekeeper s numbers table there already exists exactly the same dst pattern as some other endpoint is trying to register this gatekeeper registration for that endpoint will fail IP Telephony Troubleshooting e The IP Telephony does not work after upgrading from 2 5 x version You need to completely reinstall the router using any installation procedure You may keep the configuration using either the installation program option or the backup file e The IP Telephony gateway does not detect the drop of the line when connected to some PBXs Different regional setting should be used to match the parameters of the PBX For example try using uk for Meridian PBX e The IP Telephone does not call the gateway but gives busy signal Enable the logging of IP telephony events under system logging facility Use the monitoring function for voice ports to debug your setup while making calls IP Telephony Applications The following describes examples of some useful IP telephony applications using the MikroTik RouterOS Quicknet telephony cards or ISDN cards Setting up the MikroTik IP Telephone Setting up the IP Telephony Gateway Setting up the Welltech IP Telephone Setting up the MikroTik Router and CISCO Router MikroTik RouterOS V2 6 Reference Manual 291 IP Telephony Let us consider the following example of IP telephony gateway on
594. unique Service Set Identificator should be chosen say home_link e A channel frequency should be selected for the link say 2447MHz e The operation mode should be set to ad hoc The following command should be issued to change the settings for the wavelan interface admin home_gw interface wavelan gt set wl home frequency 2447MHz mode ad hoc ssid home_link admin home_gw interface wavelan gt enable wl hom MikroTik RouterOS V2 6 Reference Manual 209 WaveLAN ORiINOCO 2 4GHz 11Mbps Wireless Interface admin home_gw interface wavelan gt print admin MikroTik interface wavelan gt print Flags X disabled R running O R name wl home mtu 1500 mac address 00 02 2D 07 D8 44 arp enabled frequency 2447MHz data rate 11Mbit s mode ad hoc ssid home_link client name keyl key2 key3 key4 tx key keyl encryption no admin home_gw interface wavelan gt monitor 0 bssid 02 02 2D 07 D8 44 frequency 2447MHz data rate 11Mbit s ssid home_link signal quality 0 signal level 154 noise 154 admin home_gw interface wavelan gt Configure the laptop computer with the Wavelan card following the manufacturer s instructions Note In Ad Hoc Peer to Peer mode the V1 76 ORiNOCO Client Manager program allows setting only the Network Name ssid parameter The channel frequency parameter is chosen that of the other peer Therefore the MikroTik Router should be configured for the ad hoc mode
595. ures and functions that would require long education elsewhere simply by following the Reference Manual and even without it MikroTik RouterOS turns a standard PC computer into a network router Just add standard network PC interfaces to expand the router capabilities e Remote control with easy real time Windows application WinBox e Telnet console serial console control e Advanced bandwidth control e Network firewall with packet filtering masquerading network address translation logging and connection monitoring e DHCP support e HotSpot technology e Ethernet 10 100 1000Mb s e Wireless client and AP 2 4GHz 11 Mb s e V 35 synchronous 5Mb s with frame relay e Asynch PPP RADIUS up to 32 ports for modem pools e Cyclades and LMC DS3 with E1 T1 support e IP Telephony Gateway e Built in Web proxy e And much more The Guide describes the basic steps of installing and configuring a dedicated PC router running MikroTik RouterOS The following sections are included in this Guide e Setting up MikroTik RouterOS Downloading and Installing the MikroTik RouterOS 1 Download the basic installation archive file 2 Create the installation media gt 3 Install the MikroTik RouterOS software Obtaining the Software License Logging into the MikroTik Router Adding Software Packages Software Licensing Issues e Navigating the Terminal Console e Accessing the Router Remotely Using Web Browser and WinBox
596. us Interfaces uptime connection time displayed in days hours minutes and seconds encoding encryption being used in this connection status the status of this client may be Dialing attempting to make a connection Verifying password connection has been established to the server password verification in progress Connected self explanatory Terminated interface is not enabled or the other side will not establish a connection Additional Resources Links for PPP documentation http www ietf org rfc rfc2138 txt number 2138 http www ietf org rfc rfc2138 txt number 2139 O Copyright 1999 2002 MikroTik MikroTik RouterOS V2 6 Reference Manual 159 Point to Point Protocol over Ethernet PPPoE Document revision 23 Dec 2002 This document applies to MikroTik RouterOS V2 6 Overview The PPPoE Point to Point Protocol over Ethernet protocol provides extensive user management network management and accounting benefits to ISPs and network administrators Currently PPPoE is used mainly by ISPs to control client connections for xDSL and cable modems PPPoE is an extension of the standard dial up and synchronous protocol PPP The transport is over Ethernet as opposed to modem transport Generally speaking the PPPoE is used to hand out IP addresses to clients based on the user and workstation if desired authentication as opposed to workstation only authentication when static IP addr
597. users can be viewed using ppp active print command admin web proxy ppp active gt print Flags R radius NAME SERVICE CALLER ID ADDRESS UPTIME ENCODING 0 home pptp 10 0 0 204 10 5 0 2 40m58s MPPE12 admin web proxy ppp active gt print detail Flags R radius 0 name home service pptp caller id 10 0 0 204 address 10 5 0 2 uptime 40m57s encoding MPPE128 stateless MikroTik RouterOS V2 6 Reference Manual 148 General Point to Point Settings admin web proxy ppp active gt Local Accounting of PPP Users Local authentication and accounting is enabled by default And is used when RADIUS client is disabled The following is an example of the local accounting when a PPPoE connection is made to the PPPoE server access concentrator admin Mikrotik gt log print dec 09 2002 18 11 14 lt pppoe test gt authenticated dec 09 2002 18 11 14 lt pppoe test gt connected dec 09 2002 18 11 15 test logged in dec 09 2002 18 11 26 test logged out 12 3760 133 15 9 dec 09 2002 18 11 26 lt pppoe test gt terminating disconnected dec 09 2002 18 11 26 lt pppoe test gt disconnected The last line is the accounting that is printed when the connection is terminated This line indicates that the user test connection has terminated at dec 09 2002 18 11 26 The numbers following the test logged out entry represent the following 12 session connection time in seconds 3760 bytes
598. ute 0 0 0 0 route reflect defines whether to further redistribute routes learned from the router of the same AS or not If enabled can significantly reduce traffic between routers in the same AS prefix list in Name of the filtering prefix list for receiving routes prefix list out Name of the filtering prefix list for advertising routes state Shows the status of the BGP connection to the peer Can be not connected or connected routes received Shows the number of received routes from this peer The prefix lists should be defined under the routing prefix list See corresponding manual for the details on using prefix lists MikroTik RouterOS V2 6 Reference Manual 362 Border Gateway Protocol BGP Routing Protocol Troubleshooting e The BGP does not learn routes from its peer Try to see if the peer is directly attached or you should use the multihop flag when defining the peer and static routing to get the connection between the peers e can ping from one peer to the other one but no routing exchange takes place Check the status of the peer using routing bgp peer print detail commend See if you do not have firewall that blocks TCP port 179 Additional Resources Recommended readings for guidelines on building BGP networks e BGP 4 http www ietf org rfc rfc1771 txt e http www cisco com univercd cc td doc cisintwk ics icsbgp4 htm e Designing Large Scale IP Internetworks Cisco Systems
599. uters should look as follows OSPF Main gt ip route print Flags X disabled I invalid D dynamic J rejected connect S static R rip O ospf B bgp DST ADDRESS G GATEWAY DISTANCE INTERFACE 0 S 0 0 0 0 0 rr 104 00 1 1 main_gw Es S 100 306 1 32 r 10 2 0 1 isp2 2 DO 192 168 3 0 24 r 10 1 0 1 110 peerl 3 DO 192 168 0 0 24 ELO 0 45 110 peerl 4 DO 10 4 0 2 32 ELO de OL 110 peerl 5 DC 10 4 0 1 32 r 0 0 0 0 0 pptp in1l 6 DO 10 3 0 0 24 e AAA OP 110 peerl 7 DC 10 2 0 0 24 E 0 01 050 0 isp2 8 DO 10 2 0 2 32 Ch Oe dO 110 peerl 9 DC 10 1 0 0 24 r 0 0 0 0 0 peerl 10 DC 10 0 0 0 24 r 0 0 0 0 0 main_gw OSPF Main gt OSPF peer 1 gt ip route print Flags X disabled I invalid D dynamic J rejected connect S static R rip O ospf B bgp DST ADDRESS G GATEWAY DISTANCE INTERFACE O Ss 10 2 0 0 24 ELO 3042 1 backup 1 S 192 168 3 0 24 r 192 168 0 20 il local 2 Ss 10 2 0 2 32 r 10 3 0 2 1 backup 3 DO 0 0 0 0 0 e LOs P0082 110 main_link 4 DC 192 168 0 0 24 1 0 0 00 0 local 5 DC 10 4 0 2 32 r 0 0 0 0 0 pptp outl 6 DO 10 4 0 1 32 POL 02 110 main_link 7 DC 10 3 0 0 24 E OZO030 0 backup 8 DC 10 1 0 0 24 r 0 0 0 0 0 main_link 9 DO 10 0 0 0 24 E 10 14 0 2 110 main_link OSPF peer 1 gt Functioning of the Backup If the link between routers OSPF Main and OSPF peer 1 goes down the OSPF rou
600. valid D dynamic J rejected G connect S static R rip O ospf B bgp DST ADDRESS G GATEWAY DISTANCE INTERFACE 0 S 0 0 0 0 0 r 10 1 1 254 1 aironet 1 DC 192 168 0 0 24 r 0 0 0 0 0 Local 2 DC 10 1 1 0 24 r 0 0 0 0 0 aironet admin MikroTik ip route gt Point to Point Wireless LAN Point to point connections using two wireless clients require the wireless cards to operate in ad hoc mode This mode does not provide the required timing for the cases of long distance over 20km links Thus the performance of such links is very poor on long distances and use of infrastructure mode is required where a wireless client registers to an access point or bridge Let us consider the following point to point wireless network setup with two MikroTik Wireless Routers N Internet Internet interface Public Wireless Router Gateway y address 10 1 1 12 24 A wnet_ow 1011254 HA A ee interface pc ssid1 b_link y 24GHz mode ad hoc ops address 192 168 11 2 30 A interface aironet mode ad hoc address 192 168 11 1 30 interface Local Local Network address 192 168 0 254 24 192 168 0 0 24 ssid1 b_link Wireless Network Wireless Router 192 168 11 0 30 mikrotik dl Workstation Laptop 192 168 0 1 192 168 0 2 To establish a point to point link the configuration of the wireless interface should be as follows MikroTik RouterOS V2 6 Reference Manual 91 CISCO
601. variable a admin MikroTik ip route gt Before using variable in script it s name must be introduced There are several ways to do that e With global It introduces name of global variable which is created if it doesn t exist already admin MikroTik ip route gt admin MikroTik gt global gl admin MikroTik gt set gl this is global variable admin MikroTik gt put gl this is global variable admineMikroTik gt Global variables can be accessed by all scripts and console logins on the same router There is no way currently to remove global variable except rebooting router Variables are not kept across reboots e With local It introduces new local variable which is not shared with any other script other instance of the same script other console logins It s value is lost when script finishes or when variable name is freed by sunset fadmin MikroTik gt local 11 admineMikroTik gt set 11 this is local variable admin MikroTik gt put 11 this is local variable admin MikroTik gt e With for and foreach commands which introduce loop index variable It s valid only in the do block of commands and is removed after command completes admin MikroTik gt for 11 from 1 to 3 do put 11 2 3 admin MikroTik gt put 11 this is local variable admin MikroTik gt See how loop variable shadows already introduced local variable 11 It s value is not overwritten by for loop
602. vice e g a baseband modem to the V 35 port and turn it on The MikroTik driver for the Cyclades Synchronous PCI Adapter allows you to unplug the V 35 cable from one modem and plug it into another modem with a different clock speed and you do not need to restart the interface or router Troubleshooting e The cyclades interface does not show up under the interfaces list Obtain the required license for synchronous feature e The synchronous link does not work Check the V 35 cabling and the line between the modems Read the modem manual RSV V 35 Synchronous Link Applications Let us consider the following network setup with MikroTik Router connected to a leased line with baseband modems and a CISCO router at the other end MikroTik RouterOS V2 6 Reference Manual 97 Cyclades PC300 PCI Adapters Internet interface EthernetO gt address 10 1 1 12 24 interface SerialQ address 1 1 1 2 32 Sl Baseband Modern Y 3 O cut aos interface cyclades1 MikroTik address 1 1 1 1 32 interface ether2 address 10 0 0 254 24 om 10 0 0 0 24 interface etherl address 192 168 0 254 24 LAN 192 168 0 0 24 The driver for the Cyclades PC300 RSV Synchronous PCI Adapter should load automatically The interface should be enabled according to the instructions given above The IP addresses assigned to the cyclades interface should be as follows admin MikroTik ip address gt add address 1 1 1 1 32 interface cyclad
603. which is free on your system Usually IRQ 5 is fine Set the dip switches of the memory mapping base address Each C101 Super Sync Board will occupy 16KB memory window Not all addresses might be available on your motherboard Use for example switch 3 should be OFF and 1 2 4 5 should be ON for address 0x0D0000 Consult the table in the C101 manual for these settings 4 Set the jumper of the transmit clock direction to in Set the jumper of the communication interface to V 35 W n Please note that not all combinations of memory mapping base addresses and IRQ s may work on your motherboard It is recommended that you choose one IRQ that is not used in your system and then try an acceptable memory base address setting The PCI variant is detected automatically MikroTik RouterOS V2 6 Reference Manual 130 MOXA C101 Synchronous Interface MOXA C101 PCI variant cabling The MOXA C101 PCI requires different from MOXA C101 ISA cable It can be made using the following table s jers n p e ps n E 7 ot p 8 pco jn F m rmipajour p a3 Rxa fin R 14 ricB 16 TxCA 20 prr 22 excB 23 RxCA Loading the Driver for the MOXA C101 Synchronous Adapter The MOXA C101 ISA card requires the driver to be loaded by issuing the following command admin MikroTik driver gt add name c101 mem 0xd0000 admin MikroTik driver gt print Flags I invalid D dynamic DRIVER IRQ IO MEMORY ISDN PROTOC
604. width management are given arranged according to complexity MikroTik RouterOS V2 6 Reference Manual 327 Queues and Bandwidth Management Example of Emulating a 128k 64k Line Example of Using Masquerading Example of Emulating a 128k 64k Line Assume we want to emulate a 128k download and 64k upload line connecting IP network 192 168 0 0 24 The network is served through the Local interface of customer s router The basic network setup is in the following diagram Internet ET Internet Gatewa Public Network 10 0 0 254 10 0 0 0 24 64kbps interface Public address 10 0 0 217 MikroTik netmask 255 255 255 0 interface Local 128kbps address 192 168 0 254 netmask 255 255 255 0 A Workstation Laptop Server 192 168 0 1 192 168 0 2 192 168 0 17 Local Network 192 168 0 0 24 The IP addresses and routes of the MikroTik router are as follows admin MikroTik gt ip address print Flags X disabled I invalid D dynamic ADDRESS NETWORK BROADCAST INTERFACE 0 10 0 0 217 24 10 0 0 217 10 0 0 255 Public i 192 168 0 254 24 192 168 0 0 192 168 0 255 Local admin MikroTik gt ip route print Flags X disabled I invalid D dynamic J rejected Cc connect S static R rip O ospf B bgp DST ADDRESS G GATEWAY DISTANCE INTERFACE 0 S 0 0 0 0 0 r 10 0 0 1 1 Public 1 DC 192 168 0 0 24 r 0 0 0 0 0 Local 2 DC 10 0 0 0 24 r 0 0 0 0 0 Public fadmin Mik
605. ws mode access point ssid br8 frequency 244 7MHz supported rates 1 11 basic rates 1 MT_root ap cie MT_slave ap EP N interface prism1 interface prism1 mac address mac address LAN2 00 90 4B 03 F1 7D 00 90 4B 04 66 D6 root ap root ap 00 00 00 00 00 00 00 90 4B 03 F1 7D Below are step by step configurations for both units The system identities are set to MT parent and MT child respectively MT parent Configuration Assume you have interfaces etherl and prism1 under interface list 1 Enable the Ethernet interface etherl MikroTik RouterOS V2 6 Reference Manual 187 Prismll Wireless Client and Wireless Access Point Manual interfac nabl ther1 2 Configure prism1 interface Set mode bridge ssid br8 frequency 2447MHz and enable prism1 interface you can use mode ap bridge if you have Prism AP License interface prism set prisml mode bridge ssid br8 frequency 2447 disabled no 3 Add bridge interface and specify forwarded protocol list interface bridge add forward protocols ip arp other disabled no 4 Specify ports prism1 and ether1 that belong to bridgel interface bridge port set etherl prisml bridge bridgel 5 Assign IP address 10 0 0 217 24 to the bridge interface ip address add address 10 0 0 217 24 interface bridgel 6 Set default route to 10 0 0 1 ip route add gw 10 0 0 1 MT child Configuration Assume you have interfaces ether and prism1 under interface list
606. xample admin MikroTik ip firewall mangle gt add action passthrough mark flow abc all admin MikroTik ip firewall mangle gt print Flags X disabled I invalid 0 src address 0 0 0 0 0 0 65535 in interface all dst address 0 0 0 0 0 0 65535 protocol all tcp options any icmp options any any flow src mac address 00 00 00 00 00 00 limit count 0 limit burst 0 limit time 0s action passthrough MikroTik RouterOS V2 6 Reference Manual 221 Firewall Filters and Network Address Translation NAT mark flow abc all tcp mss dont chang admin MikroTik ip firewall mangle gt Note that the packets originated from the router cannot be mangled To change the TCP Maximum Segment Size MSS set the tcp mss argument to a value which is your desired MTU value less 40 for example if your connection MTU is 1500 you can set tcp mss 1460 or lower The MSS can be set only for TCP SYN packets For example if you have encrypted PPPoE link with MTU 1492 set the mangle rule as follows admin MikroTik ip firewall mangle gt add protocol tcp tcp options syn only action passthrough tcp mss 1448 admin MikroTik ip firewall mangle gt print Flags X disabled I invalid 0 src address 0 0 0 0 0 0 65535 in interface all dst address 0 0 0 0 0 0 65535 protocol tcp tcp options syn only icmp options any any flow src mac address 00 00 00 00 00 00 limit count 0 limit burst 0 limit time 0s action passthrough mark flow tcp
607. xecute given script after each time it prints stats on the screen and it will assign all printed values to local variables with the same name fadmin2 kzd gt interface admin2 kzd interface gt monitor traffic ether2 once do environment print received packets per second 2 received bits per second 960 00bps sent packets per second 0 sent bits per second 0 00bps Global Variables Local Variables sent bits per second 0 received packets per second 2 received bits per second 960 sent packets per second 0 admin2 kzd interface gt Monitor command with do argument can also be called directly from scripts It will not print anything then but just execute the given script Get commands It is also possible to access from scripts values that are shown by most print commands Most command levels that have print command also have get command It has one or two unnamed arguments If this command level deals with list of items first argument is name or internal number of item Second argument is a name of item s property which should be returned admin2 kzd interface gt put interface get etherl disabled true admin2 kzd interface gt MikroTik RouterOS V2 6 Reference Manual 45 Scripting Manual If command level has general settings get command only takes the name of property admin2 kzd interface gt put system clock get time oct 23 2002 01 44 39 admin2 kzd interface gt N
608. y 78 signal level 125 noise level 99 admin MikroTik interface prism gt The IP addresses assigned to the wireless interface should be from the network 10 0 0 0 24 e g admineMikroTik admineMikroTik lp address gt add address 10 0 0 217 24 interface prisml ip address gt print Flags X disabled I invalid D dynamic ADDRESS NETWORK BROADCAST INTERFACE 0 10 0 0 217 24 10 0 0 0 10 0 0 255 prisml 1 192 168 0 254 24 192 168 0 254 192 168 0 254 etherl MikroTik ip address gt The default route should be set to the gateway router 10 0 0 1 not to the AP 10 1 1 250 admineMikroTik admineMikroTik ip route gt add gateway 10 0 0 1 ip route gt print Flags X disabled I invalid D dynamic J rejected C connect S static R rip O ospf B bgp DST ADDRESS G GATEWAY DISTANCE INTERFACE 0 S 0 0 0 0 0 r 10 0 0 1 1 prisml 1 DC 10 0 0 0 24 r 0 0 0 0 0 prisml 2 DC 192 168 0 0 24 E 03 0 05 0 0 etherl admin MikroTik interface prism gt Note You cannot use the bridging function between the prism and ethernet interfaces if the prism interface is in the station mode The bridge does not work in this case Wireless Access Point Let us consider the following point to point wireless network setup with two MikroTik Wireless Routers MikroTik RouterOS V2 6 Reference Manual 184 Prismll Wireless Client and Wireless Access Point Manual Wir
609. y msn is used Meaning of special symbols 4 separates pattern entries more than one pattern can be specified this way matches one character 4 matches zero or more characters matches any single character from the set in brackets matches any single character not from the set in brackets autodial phone number which will be dialed immediately on each incoming ISDN call If this number contains m then it will be replaced by originally called ISDN telephone number If this number is incomplete then the remaining part has to be dialed by the caller If the number is incorrect call is refused If the number is correct then the appropriate number is dialed For that directcall mode is used the line is picked up only after the remote party answers the call playback volume playback volume in dB 0dB means no change possible values are 48 48dB record volume recording volume in dB OdB means no change possible values are 48 48dB region regional setting for the voice port for tone generation only aec echo detection and cancellation Possible values are yes and no If the echo cancellation is on then aec tail length parameter is used aec tail length size of the buffer of echo detection Possible values are short 8 ms medium 16 ms long 32 ms software aec software echo cancellation experimental agc on playback automatic gain control o
610. y connection state any flow src mac address 00 00 00 00 00 00 limit count 0 limit burst 0 limit time 0s action accept log no 6 77 Reject and log everything else src address 0 0 0 0 0 0 65535 in interface all dst address 0 0 0 0 0 0 65535 out interface all protocol all icmp options any any tcp options any connection state any flow src mac address 00 00 00 00 00 00 limit count 0 limit burst 0 limit time 0s action reject log yes admineMikroTik ip firewall rule customer gt Note about the rule 5 active ftp data connections are made from the server s port 20 to the client s tcp port above 1024 All we have to do now is to put rules in the forward chain that match the IP addresses of the customer s hosts on the Local interface and jump to the customer chain admin MikroTik ip firewall rule forward gt add out interface Local action jump X Jump target customer MikroTik RouterOS V2 6 Reference Manual 230 fadmin MikroTik Flags 0 fadmin MikroTik Firew X disabled I all Filters and Network Address Translation NAT ip firewall rule forward gt print invalid src address 0 0 0 0 0 0 65535 in interface all dst address 0 0 0 0 0 0 65535 out interface Local protocol all icmp options any any tcp options any connection state any flow src mac address 00 00 00 00 00 00 limit count 0 limit burst 0 limit time 0s action jump jump target customer log no ip firewall rule forward gt Thus everything that pa
611. y means of Static Network Address translation NAT at the MikroTik Router The Public address port 10 0 0 217 80 will be translated to the Local address port 192 168 0 4 80 One destination NAT rule is required for translating the destination address and port admin MikroTik ip firewall dst nat gt add action nat protocol tcp dst address 10 0 0 217 32 80 to dst address 192 168 0 4 admin MikroTik ip firewall dst nat gt print Flags X disabled I invalid 0 src address 0 0 0 0 0 0 65535 in interface all MikroTik RouterOS V2 6 Reference Manual 232 Firewall Filters and Network Address Translation NAT dst address 10 0 0 217 32 80 protocol tcp icmp options any any flow src mac address 00 00 00 00 00 00 limit count 0 limit burst 0 limit time 0s action nat to dst address 192 168 0 4 to dst port 0 65535 admineMikroTik ip firewall dst nat gt O Copyright 1999 2002 MikroTik MikroTik RouterOS V2 6 Reference Manual 233 HotSpot Gateway Document revision 21 Jan 2003 This document applies to the MikroTik RouterOS v2 6 Overview The MikroTik HotSpot Gateway enables provision of public network access for clients using wireless or wired network connections HotSpot Gateway features e uses DHCP server to assign temporary not valid in outer networks IP addresses to clients prior to authentication e authentication of clients using local client database or RADIUS server e after successful authenticati
612. y should be enabled for firewall logs admin MikroTik system logging facility gt set Firewall Log logging local admin MikroTik system logging facility gt print FACILITY LOGGING PREFIX REMOTE ADDRESS REMOTE PORT 0 Firewall Log local 1 PPP Account none 2 PPP Info none 3 PPP Error none 4 System Info local 5 System Error local 6 System Warning local 7 Prism Info local admin MikroTik system logging facility gt You can send UDP log messages to a remote syslog host by specifying the remote address and port usually 514 Local logs can be viewed using the log print command admin MikroTik gt log print detail without paging time feb 24 2002 19 37 08 message router gt REJECT in etherl out local src mac 00 30 85 95 67 2b prot TCP SYN 213 67 20 9 4164 gt 195 13 162 195 21 len 60 The format of the log is DATE TIME Chain gt ACTION in interface out interface src mac ADDRESS protocol protocol option src address port gt dst address port packet_length Marking the Packets Mangle and Changing the MSS Packets entering the router can be marked for further processing them against the rules of firewall chains source or destination NAT rules as well as for applying queuing to them Use the ip firewall mangle to manage the packet marking Specify the value for the mark flow argument and use action passthrough for e
613. ying the MAC address of the root access point admin MikroTik interface prism gt set prisml root ap 00 90 4B 03 F1 71 admin MikroTik interface prism gt print Flags X disabled R running O R name prism1 mtu 1500 mac address 00 90 4B 02 17 E2 arp enabled mode ap bridge root ap 00 90 4B 03 F1 71 frequency 2442MHz ssid testing default authentication yes default forwarding yes max clients 2007 card type generic tx power auto supported rates 1 11 basic rates 1 admin MikroTik interface prism gt The non root access point will register the clients only if it is registered to the root access point Having one access point registered to another one enables bridging the networks if bridging mode between MikroTik RouterOS V2 6 Reference Manual 181 Prismll Wireless Client and Wireless Access Point Manual prism and ethernet interfaces is used Note that in the station mode bridging cannot be used between prism and ethernet interfaces Network Scan The prism interface has feature that allows scanning for available networks While scanning the card unregisters itself from the access point in station mode or unregisters all clients in bridge or ap bridge mode Thus network connections are lost while scanning Use the interface prism scan command to scan for available networks for example admin MikroTik interface prism gt scan Scan for wireless networks lt interface gt frequencies List of
614. ype 2 redistribute connected as type 1 redistribute static as type 2 redistribute rip no redistribute bgp no metric default 1 MikroTik RouterOS V2 6 Reference Manual 340 Open Shortest Path First OSPF Routing Protocol metric connected 0 metric static 0 metric rip 0 metric bgp 0 admin OSPF Main gt routing ospf area print Flags X disabled 0 name backbone area id 0 0 0 0 default cost 0 stub no authentication none 1 name local_10 area id 0 0 0 1 default cost 0 stub no authentication none admin OSPF Main gt routing ospf network print Flags X disabled NETWORK AREA 0 10 1 0 0 24 local_10 dl 10 2 0 0 24 local_10 admin OSPF Main gt OSPF peer 1 Router Setup The IP address configuration of the OSPF peer 1 router is as follows admin OSPF peer 1 gt ip address print Flags X disabled I invalid D dynamic ADDRESS NETWORK BROADCAST INTERFACE 0 10 1 0 1 24 10 1 40 0 FOTO 255 main_link i 10 3 0 1 24 10 3 0 0 1043507255 backup 2 192 168 0 1 24 192 168 0 0 192 168 0 255 local admin OSPF peer 1 gt OSPF settings admin OSPF peer 1 gt routing ospf print router id 0 0 0 0 distribute default never redistribute connected as type 1 redistribute static no redistribute rip no redistribute bgp no metric default metric connected metric static metric rip metric bgp 0 admin OSPF peer 1 gt routing ospf area print Flags X
Download Pdf Manuals
Related Search